Information sending system, information sending device, information receiving device, information distribution system, information receiving system, information sending method, information receiving method, information distribution method, apparatus, sending method of information receiving device, playback method of apparatus, method of using contents and program storing medium

ABSTRACT

Content data encrypted with a content key, the content key encrypted with an individual key specific to an information sending device, and the individual key encrypted with a distribution key that is updated in a predetermined cycle, and supplied are sent to an information receiving device, and the information receiving device decrypts the individual key with the distribution key, decrypts the content key with the individual key, and decrypts the content data with the content key. Thus, the information sending device does not have the distribution key, and accordingly piracy of content data can be prevented with a simple configuration. Also, the information receiving device sends the content key and a playback command to other apparatuses. Thus, other apparatuses can play back contents using the playback command and the content key. Furthermore, the information sending device decrypts the content key with the distribution key before being updated, and stores the same. Thus, contents purchased by an advance order can be actually purchased regardless of expiration dates of the distribution key. Furthermore, usage right is passed from a first information receiving device to a second information receiving device different in registration information at the tome of using contents. Thus, contents can be used among information receiving devices different from each other in registration information.

TECHNICAL FIELD

The present invention relates to an information sending system, aninformation sending device, an information receiving device, aninformation distribution system, an information receiving system, aninformation sending method, an information receiving method, aninformation distribution method, an apparatus, a sending method of theinformation receiving device, a playback method of the apparatus, amethod of using contents and a program storing medium, and is suitablyapplied to, for example, an information sending system allowing an owneror a seller of contents to distribute contents safely to a user of thecontents.

BACKGROUND ART

There are systems in which information (contents) such as music isencrypted and is sent to an information processing device of a user withwhom a predetermined contract has been signed, and the user decryptscontents with the information processing device to use the contents.

For example, cases where two content sending devices and a contentreceiving device are provided as shown in FIG. 96 will be described.

A first content sending device 600 has a data encrypting portion 601, adata encrypting portion 602, a content key generating portion 603 and atamper resistant memory 604. Furthermore, the tamper resistant memorycited herein may be one that cannot be easily read out by a third party,and does not require a particular limitation in terms of hardware (forexample, it may be a hard disk placed in an entrance-controlled room, ahard disk of a password-controlled personal computer, or the like). Adistribution key K_(d) required for encrypting a content key K_(co) issupplied in advance to the tamper memory 604 from an electronicdistribution service center (not shown) and is stored therein.

For generating data to be passed to the content receiving device 620,the content sending device 600 uses the content key generating portion603 to generate the content key K_(co1), and uses this key to encryptcontents at the content encrypting portion 601. Also, the content keyK_(co1) is encrypted at the data encrypting portion 602 using thedistribution key K_(d). The encrypted contents and content key K_(co1)are sent to the content receiving device 620.

In this connection, as in the case of the content sending device 600, asecond content sending device 610 has a data encrypting portion 611, adata encrypting portion 612, a content key generating portion 613 and atamper resistant memory 614, generates the content key K_(co2) at thecontent key generating portion 613, and encrypts contents by the dataencrypting portion 611 using this key. Also, the data encrypting portion612 encrypts the content key K_(co2) using the distribution key K_(d)supplied from the electronic distribution service center (not shown). Inthis way, the second content sending device 610 sends the encryptedcontents and the encrypted content key K_(co2) to the content receivingdevice 620.

The content receiving device 620 has a sending and receiving portion621, a host controller 622, a cipher processing portion 623, a memory624, a data decrypting portion 625, a data decrypting portion 626 and atamper resistant memory 627. Furthermore, since any number of users usecontents and it is impossible to understand how content users manipulatean apparatus, the tamper resistant memory cited herein needs to haveinternal data protected in terms of hardware, and thus the cipherprocessing portion 623 is a semiconductor chip having a structure thatis hardly accessed from the outside, and has a multi-layer structure,and its internal tamper resistant memory is sandwiched between dummylayers such as aluminum layers, and also the range of operating voltageand/or frequency is narrow, and so on, thus characteristically making itdifficult to read out data illegally from the outside. And, in thetamper resistant memory 627, the distribution key K_(d) supplied inadvance from the electronic distribution service center (not shown) isstored.

In this connection, the tamper resistant memories 604, 614 of thecontent sending devices, 600, 610 are memories that can be accessed fromthe outside, but constraints are added to methods of making an access tothose memories. It may be a password or room entrance-control. On theother hand, in the tamper resistant memory 627 of the content receivingdevice 620, the memory itself has a structure that is not accessedillegally from the outside, methods of reading internal data from theoutside using normal accessing means are limited, or there are no suchmethods at all. Furthermore, for the tamper resistant memory 627, itsinternal data cannot be read at all from the outside, but there may be aaccessing method in which only the change of data can be performed fromthe outside if previous key data and the like are used. Also, in thecipher processing portion 623, predetermined data can be read out bymaking an access to the memory, while the internal memory cannot be readout from the outside.

The contents and the content keys K_(co1) and K_(co2) sent from thecontent sender 600 or 610 are received at the sending and receivingportion 621, and are delivered to the host controller 622. The hostcontroller 622 stores these data in the memory on a temporary basis, andpasses the content key K_(co) and the contents to the cipher processingportion 623 in case of using the contents. The cipher processing portion623 which receives them performs decryption using the distribution keyK_(d) stored in advance in the tamper resistant memory 627 at the datadecrypting portion 625, and then decrypts contents at the datadecrypting portion 626 using the content key K_(co), and uses thecontents. At this time, accounting may be involved.

However, in the conventional information processing system shown in FIG.96, the content sending devices 600 and 610 use the same distributionkey K_(d), thus raising a problem that content information can bepirated by each other. As one method for solving this problem, themethod in which the piracy of content information among sending devicesis avoided by using a different distribution key K_(d) for each contentsending device is conceivable. In this case, however, there is adisadvantage that the content receiving device needs to retain all thedistribution keys K_(d), thus making a configuration and receivingmethod of the content receiving device more complicated.

Also, an information receiving device that does not have content usageright, among information receiving devices that receive contents, canhardly use the contents.

Furthermore, information needed for using the distribution key K_(d) andthe other contents distributed from the information sending device isupdated in predetermined timing, and information receiving devices thatdo not have a new key K_(d) and other information hardly use thecontents.

Furthermore, in the case where registration information for usingcontents is different among a plurality of information receiving devicesthat use the contents, it is difficult to exchange content data betweeninformation receiving devices different from each other in suchregistration information.

DISCLOSURE OF THE INVENTION

The present invention has been made considering the above respects, andproposes an information sending system, an information distributionsystem, an information sending device, an information receiving device,an information sending method, an information receiving method and aprogram storing medium that are capable of preventing piracy of contentswith a simple configuration.

In the present invention, for solving such problems, the informationsending device encrypts content data with a predetermined content key,encrypts the above described content key with an individual key specificto the information sending device, and sends the content data encryptedwith the content key, the content key encrypted with the individual keyand an encrypted individual key supplied from the outside, which isconstituted by encrypting the individual key with a predetermineddistribution key, to the information receiving device, and theinformation receiving device decrypts the individual key with thedistribution key given in advance, decrypts the content key with suchdecrypted individual key, and decrypts the content data with suchdecrypted content key.

Thus, a plurality of information sending devices use their specificindividual keys respectively, and does not have the distribution key,thereby making it possible to prevent illegal use of content data, thatis, piracy between information sending devices. And, the informationreceiving device can decrypt contents from a plurality of informationsending devices by having only one kind of distribution key.

Also, the present invention has been made considering the aboverespects, and proposes an information distribution system, aninformation distribution method, an information receiving device, anapparatus, a sending method of the information receiving device, aplayback method of the apparatus and a program storing medium in whicheven an information receiving device that does not have content usageright, among information receiving devices that use contents, can usethe contents.

In the present invention, for solving such problems, the informationreceiving device having content usage right has the content key fordecrypting the content data distributed from the information sendingdevice, generates a playback command for another apparatus that does nothave content data usage right, and sends again the generated playbackcommand and the content key to another apparatus.

Thus, even in another apparatus that does not retain content playbackright, the contents can be played using the playback command and thecontent key received from the information sending device which retainsthe contents.

Furthermore, the present invention has been made considering the above,and proposes an information distribution system, an informationdistribution method, an information receiving device, an informationreceiving method and a program storing medium in which contents can beused even after the expiration date of the information needed for usingthe distribution key and the other contents distributed from theinformation sending device.

In the present invention, for solving such problems, the informationsending device encrypts the content key with the individual key specificto the information sending device, and sends at least the content keyencrypted with the individual key and the encrypted individual keysupplied from the outside, which is constituted by encrypting theindividual key with the distribution key that is updated in apredetermined cycle, to the information receiving device, and theinformation receiving device decrypts the individual key with thedistribution key given in advance before the distribution key isupdated, decrypts the content key with such decrypted individual key,and saves such decrypted content key.

Therefore, by performing decryption of the content key by purchasereservation before the expiration date of the distribution key, theinformation receiving device can decrypt contents after suchdistribution key is updated, thus making it possible to really purchasethe reserved contents even after the expiration date of the distributionkey.

Furthermore, the present invention has been made considering the aboverespects, and proposes an information receiving system, a method ofusing contents and a program storing medium, which make it possible topass content data among receiving devices that are different from eachother in registration information for using contents.

In the present invention, for solving such problems, registrationinformation is passed among a plurality of information receiving devicesthat are different from each other in registration information for usingcontent data, thereby mutually determining whether or not the contentdata can be used among the plurality of information receiving devices,and a first information receiving device having content data usage rightamong the plurality of information receiving devices passes the usageright to a second information receiving device with which it isdetermined that the content data can be used.

Thus, among groups different from each other in registration informationfor using content data, it is made possible to use contents at thesecond information receiving device to which the usage right is passedfrom the first information receiving device, whereby the content datacan be passed even among information receiving devices different fromeach other in registration information, and thus the ease-of-use by theuser may be further improved.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing an entire configuration of anelectronic music distribution system according to the present invention.

FIG. 2 is a block diagram showing a configuration of an electronicdistribution service center.

FIG. 3 is a schematic diagram showing an example of a periodic update ofa key.

FIG. 4 is a schematic diagram showing an example of a periodic update ofthe key.

FIG. 5 is a schematic diagram showing an example of a periodic update ofthe key.

FIG. 6 is a schematic diagram showing an example of a periodic update ofthe key.

FIG. 7 is a schematic diagram showing data contents of a userregistration database.

FIG. 8 is a schematic diagram showing registration information for eachgroup.

FIG. 9 is a block diagram showing a configuration of a content provider.

FIG. 10 is a flow chart showing a signature generation procedure.

FIG. 11 is a flow chart showing a signature evaluation procedure.

FIG. 12 is a flow chart showing an elliptic curve encryption method.

FIG. 13 is a flow chart showing decryption processing of the ellipticcurve encryption.

FIG. 14 is a block diagram showing a configuration of a serviceprovider.

FIG. 15 is a block diagram showing a configuration of a user homenetwork.

FIG. 16 is a schematic diagram available for explanation of operationsof an external memory controlling portion.

FIG. 17 is a block diagram showing a configuration of an electronicdistribution-only recording medium.

FIG. 18 is a block diagram showing data contents possessed by eachapparatus.

FIG. 19 is a block diagram showing data contents retained by therecording medium.

FIG. 20 is a schematic block diagram showing the flow of data of theentire system.

FIG. 21 is a schematic block diagram showing the flow of public keycertificates.

FIG. 22 is a schematic diagram showing content provider securecontainer.

FIG. 23 is a schematic diagram showing the content provider securecontainer.

FIG. 24 is a schematic diagram showing the content provider securecontainer.

FIG. 25 is a schematic diagram showing the content provider securecontainer.

FIG. 26 is a schematic diagram showing the public key certificate of thecontent provider.

FIG. 27 is a schematic diagram showing the public key certificate of thecontent provider.

FIG. 28 is a schematic diagram showing the public key certificate of thecontent provider.

FIG. 29 is a schematic diagram showing a service provider securecontainer.

FIG. 30 is a schematic diagram showing the service provider securecontainer.

FIG. 31 is a schematic diagram showing the public key certificate of theservice provider.

FIG. 32 is a schematic diagram showing the public key certificate of auser apparatus.

FIG. 33 is a schematic diagram showing a handling policy of singlecontents.

FIG. 34 is a schematic diagram showing the handling policy of albumcontents.

FIG. 35 is a schematic diagram showing another example of the handlingpolicy of single contents.

FIG. 36 is a schematic diagram showing another example of the handlingpolicy of album contents.

FIG. 37 is a schematic diagram showing price information of singlecontents.

FIG. 38 is a schematic diagram showing price information of albumcontents.

FIG. 39 is a schematic diagram showing another example of priceinformation of single contents.

FIG. 40 is a schematic diagram showing another example of priceinformation of album contents.

FIG. 41 is a schematic diagram showing license condition information.

FIG. 42 is a schematic diagram showing accounting information.

FIG. 43 is a schematic diagram showing another example of the accountinginformation.

FIG. 44 is a schematic diagram showing a list of usage right contents.

FIG. 45 is a schematic diagram showing the usage right.

FIG. 46 is a schematic diagram showing single contents.

FIG. 47 is a schematic diagram showing album contents.

FIG. 48 is a schematic diagram showing key data for single contents.

FIG. 49 is a block diagram available for explanation of encryptionprocessing of an individual key.

FIG. 50 is a schematic diagram showing key data for album contents.

FIG. 51 is a timing chart showing processing of cross authenticationusing a symmetrical key technique.

FIG. 52 is a timing chart showing processing of cross authenticationusing an asymmetrical key encryption technique.

FIG. 53 is a schematic block diagram showing operations of sendingaccounting information.

FIG. 54 is a schematic diagram showing benefit distribution processingoperations.

FIG. 55 is a schematic diagram showing operations of sending a contentusage record.

FIG. 56 is a flow chart showing a processing procedure of distributingand playing back contents.

FIG. 57 is a flow chart showing a processing procedure of performingsend to the content provider.

FIG. 58 is a flow chart showing a processing procedure of registeringsettlement information.

FIG. 59 is a flow chart showing a processing procedure of newlyregistering an apparatus ID.

FIG. 60 is a flow chart showing a processing procedure of additionallyregistering an apparatus.

FIG. 61 is a flow chart showing processing of determining an updatestart condition of registration information.

FIG. 62 is a flow chart showing a processing procedure of updatingregistration information.

FIG. 63 is a flow chart showing a processing procedure of updatingregistration information as a proxy by a stationary apparatus.

FIG. 64 is a flow chart showing a processing procedure of updatingregistration information as proxy by the stationary apparatus.

FIG. 65 is a flow chart showing a processing procedure of sending thesecure container.

FIG. 66 is a flow chart showing a processing procedure of sending thesecure container.

FIG. 67 is a flow chart showing a processing procedure of purchasing ahome server.

FIG. 68 is a flow chart showing a processing procedure of checkingtampering when data is read out.

FIG. 69 is a flow chart showing a processing procedure of checking for atamper when data is written.

FIG. 70 is a flow chart showing a processing procedure of checking for atamper when data is rewritten.

FIG. 71 is a flow chart showing a processing procedure of checking fortamper when data is deleted.

FIG. 72 is a flow chart showing a processing procedure of playing backcontents by the home server.

FIG. 73 is a flow chart showing a processing procedure of playing backcontents by the home server.

FIG. 74 is a flow chart showing a processing procedure of purchasingcontent usage right as a proxy by the home server.

FIG. 75 is a flow chart showing a processing procedure of changingcontents of a user who has completed purchase.

FIG. 76 is a schematic diagram showing contents of rule part of thehandling policy.

FIG. 77 is a schematic diagram showing contents of rule part of priceinformation.

FIG. 78 is a schematic diagram showing an example of changing rightcontents.

FIG. 79 is a flow chart showing a processing procedure of redistributingcontent usage right.

FIG. 80 is a flow chart showing a processing procedure of purchasingcontent usage right by the stationary apparatus.

FIG. 81 is a schematic diagram showing transition of rule part oflicense condition information.

FIG. 82 is a flow chart showing a processing procedure of transferringmanagement transfer right.

FIG. 83 is a flow chart showing a processing procedure of giving backmanagement transfer right.

FIG. 84 is a block diagram showing an information sending systemaccording to the present invention.

FIG. 85 is a block diagram showing the information sending systemaccording to the present invention.

FIG. 86 is a flow chart showing a remote playback processing procedure.

FIG. 87 is a flow chart showing a booking purchase processing procedure.

FIG. 88 is a flow chart showing a real purchase processing procedureafter booking purchase.

FIG. 89 is a flow chart showing a proxy purchase processing procedurewhen the home server performs accounting.

FIG. 90 is a flow chart showing a proxy purchase processing procedurewhen non-group apparatus performs accounting.

FIG. 91 is a block diagram showing another configuration of theelectronic music distribution system.

FIG. 92 is a block diagram showing a configuration of the electronicdistribution service center constituted by a personal computer.

FIG. 93 is a block diagram showing a configuration of the contentprovider constituted by the personal computer.

FIG. 94 is a block diagram showing a configuration of the serviceprovider constituted by the personal computer.

FIG. 95 is a block diagram showing a configuration of the user homenetwork using the personal computer.

FIG. 96 is a block diagram showing a conventional example.

BEST MODE FOR CARRYING OUT THE INVENTION

In the following, one embodiment of the present invention will bedescribed in detail with reference to the drawings.

(1) Information Distribution System

FIG. 1 explains an EMD (Electronic Music Distribution) system 10applying the present invention. Contents distributed to a user throughthis system is digital data with information itself having a value, andin the case of this example, one content corresponds to music data ofone song. For contents, one content is provided as one unit (single), ormultiple contents are provided as one unit (album) to the user. The userpurchases contents (in fact, purchases right to use a content keyK_(co)), and uses the contents that is provided (in fact, decrypts thecontents using the content key K_(co) and uses the same). Furthermore,of course, the invention is applicable not just to the sale of musicdata, but also to the sale of all the contents such as images and gameprograms.

An electronic distribution service center (END Service Center) 1 sendsto content provider 2 an individual key K_(i) and a public keycertificate of the content provider 2, sends to a service provider 3 thepublic key certificate of the service provider 3, sends a distributionkey K_(d) and registration information to a user home network 5,receives accounting information and the like appropriate to the use ofcontents and the registration information from the user home network 5,settles a charge for use based on the accounting information, andperforms processing of distributing benefits to the content provider 2,the service provider 3 and the electronic distribution service center 1themselves.

The content provider 2 has digitized contents, inserts an electronicwater mark into the contents for demonstrating that it is its owncontents, compresses and encrypts the contents, generates a handlingpolicy for the contents, and adds signature data to send the same to theservice provider 3.

The service provider 3 adds price information to the contents suppliedfrom the content provider 2, and adds the signature data thereto to sendthe same to the user home network 5 via a network 4 constituted by adedicated cable network, an internet or satellite communication.

The user home network 5 obtains the contents sent from the serviceprovider 3 with the price information added thereto, purchases contentusage right, and carries out purchase processing. The usage right thatis purchased may be, for example, playback usage right or replicationright. And, the accounting information generated through purchaseprocessing is stored in a tamper resistant memory in a cipher processingportion of the apparatus retained by the user, and is sent to theelectronic distribution service center 1 when the user home network 5obtains the distribution K_(d) from the electronic distribution servicecenter 1.

FIG. 2 is a block diagram showing a configuration of a function of theelectronic distribution service center 1. A service provider managingportion 11 supplies the public key certificate of the service provider 3and information of benefit distribution to the service provider 3, andreceives information (price information) added to contents as required.Content provider managing portion 12 sends the individual key K_(i), theindividual key K_(i) encrypted with the distribution key K_(d), and thepublic key certificate of the content provider 2 and supplies theinformation of benefit distribution to the content provider 2, andreceives information (handling policy) added to contents as required. Acopyright managing portion 13 sends information showing a record ofcontent usage of the user home network 5 to a group managing copyrights,for example JASRAC (Japanese Society for Rights of Authors, Composersand Publishers). A key server 14 performs generation, maintenance andmanagement of the key for use in the entire system and for example, theindividual key K_(i) different for each content provider is generatedand the individual key K_(i) encrypted with the distribution key K_(d)is also generated together therewith, and these are supplied to thecontent provider 2 via the content provider managing portion 12 and theindividual key K_(i) encrypted with the distribution key K_(d) is alsosupplied to an authenticator station 22 as required, and thedistribution key K_(d) is supplied to the user home network 5 via a usermanaging portion 18. Also, all of the public key/secret key of theelectronic distribution service center 1 and the public key/secrete keyspecific to the apparatus retained by the user are generated andmanaged, and the public key is sent to the authenticator station 22 andis used for creating the public key certificate. Also, there may becases where a save key K_(save) appropriate to an apparatus specific IDthat is unique to a cipher processing portion 92 described later may begenerated and retained.

An example of periodic send of the key from the electronic distributionservice center 1 to a home server 51 (described later) constituting thecontent provider 2 and the user home network 5 will be describedreferring to FIG. 3 to FIG. 6. FIG. 3 shows the distribution key K_(d)and individual key K_(i) that the electronic distribution service center1 has, the individual key K_(i) that the content provider 2 has, and thedistribution key K_(d) that the home server 51 has, in January, 2000, ofwhich contents start to be provided by the content provider 2 and ofwhich contents start to be used by the home server 51 constituting theuser home network 5. Furthermore, although omitted in the following, thecontent provider 2 shall also retain the individual key K_(i) encryptedwith the distribution key K_(d) corresponding to the individual keyK_(i).

In the example of FIG. 3, the distribution key K_(d) and the individualkey K_(i) can be used from the first day to the last day of a calendarmonth and for example, the distribution key K_(d) being version 1 havinga value of “a a a a a a a a” that is the random number of apredetermined bit number and the individual key K_(i) being version 1having a value of “z z z z z z z z” can be used Jan. 1, 2000 to Jan. 31,2000 (That is, the content key K_(co) encrypting the contents which theservice provider 3 distributes to the user home network 5 in the periodof Jan. 1, 2000 to Jan. 31, 2000 is encrypted with the individual keyK_(i) being version 1, and the individual key K_(i) being version 1 isencrypted with the distribution key K_(d) being version 1), and thedistribution key K_(d) being version 2 having a value of “b b b b b b bb” that is the random number of a predetermined bit number and theindividual key K_(i) being version 2 having a value of “y y y y y y y y”can be used from Feb. 1, 2000 to Feb. 29, 2000 (That is, the content keyK_(co) encrypting the contents which the service provider 3 distributesto the user home network 5 in that period is encrypted with theindividual key K_(i) being version 2, and the individual key K_(i) beingversion 2 is encrypted with the distribution key K_(d) being version 2).In a similar way, the distribution key K_(d) and the individual keyK_(i) being version 3 can be used in March, 2000, the distribution keyK_(d) and the individual key K_(i) being version 4 can be used in April,2000, the distribution key K_(d) and the individual key K_(i) beingversion 5 can be used in May, 2000, and the distribution key K_(d) andthe individual key K_(i) being version 6 can be used in June, 2000.

Before the content provider 2 starts to provide contents, the electronicdistribution service center 1 sends to the content provider 2 the sixindividual keys K_(i) of version 1 to version 6 that can be used fromJanuary to June, 2000 and those that are encrypted with the distributionkeys K_(d) of same versions respectively, and the content provider 2receives and stores the six individual keys K_(i), and the individualkeys encrypted with the distribution keys K_(d). The reason why theindividual key K_(i) and the individual key K_(i) encrypted with thedistribution key K_(d) for June are stored is that the content provider2 needs a predetermined period to prepare for encrypting contents andthe content key K_(co) and so on before providing the contents.

Also, before the home server 51 starts to use contents, the electronicdistribution service center 1 sends the three available distributionkeys K_(d) being version 1 to version 3 to the home server 51 fromJanuary, 2000 to March, 2000, and the home server 51 receives and storesthe three distribution keys K_(d). The distribution key K_(d) for Marchis stored for the purpose of avoiding the situation where contentscannot be purchased despite the contracted period over which thecontents can be purchased, due to the trouble that the home server 51cannot be connected to the electronic distribution service center 1because of the congested line and so on, and also for the purpose ofreducing the frequency of connection to the electronic distributionservice center 1, and curbing simultaneous accesses by individualapparatuses to the electronic service center 1, thus reducing the loadon the electronic distribution service center 1.

In the period of Jan. 1, 2000 to Jan. 31, 2000, the distribution keyK_(d) and the individual key K_(i) being version 1 are used at theelectronic distribution service center 1, the content provider 2 and thehome server 51 constituting the user home network 5.

Sending of the distribution key K_(d) and the individual key K_(i) bythe electronic distribution service center 1 to the content provider 2and the home server 51 in Feb. 1, 2000 will be described with referenceto FIG. 4. The electronic distribution service center 1 sends to thecontent provider 2 the six individual keys K_(i) of version 2 to version7 that can be used from February, 2000 to July, 2000 and those that areencrypted with the distribution keys K_(d) of same versionsrespectively, and the content provider 2 receives the six individualkeys K_(i), and the individual keys K_(i) encrypted with thedistribution keys K_(d), overwrites the individual keys K_(i) andindividual keys K_(i) encrypted with the distribution keys K_(d), whichhave been stored before the reception, and stores the new individualkeys K_(i) and individual keys K_(i) encrypted with distribution keysK_(d). The electronic distribution service center 1 sends to the homeserver 51 the three available distribution keys K_(d) being version 2 toversion 4 from February, 2000 to April, 2000, and the home server 51receives the three distribution keys K_(d), overwrites the distributionkeys K_(d) stored before the reception, and stores the new distributionkeys K_(d). The electronic distribution service center 1 directly storesthe distribution keys K_(d) and the individual keys K_(i) being version1 to 7. This is for the purpose of making it possible to use thedistribution key K_(d) used in the past when an unexpected troubleoccurs or when a fraud occurs or is discovered.

In the period of Feb. 1, 2000 to Feb. 29, 2000, the distribution keyK_(d) and the individual key K_(i) being version 2 are used at theelectronic distribution service center 1, the content provider 2 and thehome server 51 constituting the user home network 5.

Sending of the distribution key K_(d) and the individual key K_(i) bythe electronic distribution service center 1 to the content provider 2and the home server 51 in Mar. 1, 2000 will be described with referenceto FIG. 5. The electronic distribution service center 1 sends to thecontent provider 2 the six individual keys K_(i) of version 3 to version8 that can be used from March, 2000 to August, 2000 and those that areencrypted with the distribution keys K_(d) of same versionsrespectively, and the content provider 2 receives the six individualkeys K_(i), and the individual keys K_(i) encrypted with thedistribution keys K_(d), overwrites the individual keys K_(i) andindividual keys K_(i) encrypted with the distribution keys K_(d), whichhave been stored before the reception, and stores the new individualkeys K_(i) and individual keys K_(i) encrypted with distribution keysK_(d). The electronic distribution service center 1 sends to the homeserver 51 the three available distribution keys K_(d) being version 3 toversion 5 from March, 2000 to May, 2000, and the home server 51 receivesthe three distribution keys K_(d), overwrites the distribution keysK_(d) stored before the reception, and stores the new distribution keysK_(d). The electronic distribution service center 1 directly stores thedistribution keys K_(d) and the individual keys K_(i) being version 1 to8. This is for the purpose of making it possible to use the distributionkey K_(d) used in the past when an unexpected trouble occurs or when afraud occurs or is discovered.

In the period of Mar. 1, 2000 to Mar. 31, 2000, the distribution keyK_(d) and the individual key K_(i) being version 3 are used at theelectronic distribution service center 1, the content provider 2 and thehome server 51 constituting the user home network 5.

Sending of the distribution key K_(d) and the individual key K_(i) bythe electronic distribution service center 1 to the content provider 2and the home server 51 in Apr. 1, 2000 will be described with referenceto FIG. 6. The electronic distribution service center 1 sends to thecontent provider 2 the six individual keys K_(i) of version 4 to version9 that can be used from April, 2000 to September, 2000 and those thatare encrypted with the distribution keys K_(d) of same versionsrespectively, and the content provider 2 receives the six individualkeys K_(i), and the individual keys K_(i) encrypted with thedistribution keys K_(d), overwrites the individual keys K_(i) andindividual keys K_(i) encrypted with the distribution keys K_(d), whichhave been stored before the reception, and stores the new individualkeys K_(i) and individual keys K_(i) encrypted with distribution keysK_(d). The electronic distribution service center 1 sends to the homeserver 51 the three available distribution keys K_(d) being version 4 toversion 6 from April, 2000 to June, 2000, and the home server 51receives the three distribution keys K_(d), overwrites the distributionkeys K_(d) stored before the reception, and stores the new distributionkeys K_(d). The electronic distribution service center 1 directly storesthe distribution keys K_(d) and the individual keys K_(i) being version1 to 9. This is for the purpose of making it possible to use thedistribution key K_(d) used in the past when an unexpected troubleoccurs or when a fraud occurs or is discovered.

In the period of Apr. 1, 2000 to Apr. 30, 2000, the distribution keyK_(d) and the individual key K_(i) being version 4 are used at theelectronic distribution service center 1, the content provider 2 and thehome server 51 constituting the user home network 5.

In this way, by distributing in advance the distribution key K_(d) andthe individual key K_(i) for the later month, the user can purchasecontents anyway, and can receive the key by making an access to thecenter at an appropriate time, even if he or she has made no access tothe center for one or two months.

A background data managing portion 15 of the electronic distributionservice center 1 (FIG. 2) retains and manages accounting informationthat is information showing the usage record of the contents collectedby the user managing portion 18, price information corresponding to thecontents as required (any one or both of price information sent from theservice provider 3 and price information that is added to the accountinginformation and sent by the user), the handling policy corresponding tothe contents as required (one or both of the handling policy sent fromthe content provider 2 and the handling policy that is added to theaccounting information and sent by the user), and outputs data when theservice provider managing portion 11, the content provider managingportion 12 or the like uses the price information and usage history.Furthermore, there may be cases where the price information and thehandling policy are not sent from the service provider 3 and the contentprovider 2 if required data is already written in the accountinginformation. A benefit distributing portion 16 calculates the benefitsof the electronic distribution service center 1, the content provider 2and the service provider 3, based on the accounting information, and theprice information and the handling policy as required supplied from thebackground data managing portion 15. There may be cases where theinformation is supplied to a banking portion 20 and benefit distributionis performed through the banking portion 20, but there may also be caseswhere the benefit distribution is not performed, and only theinformation is sent to the service provider managing portion 11, thecontent provider managing portion 12 and the copyright managing portion13, money of sales itself is put in the service provider, and theservice provider 3 distributes the benefits to each benefit recipient. Across authenticating portion 17 executes cross authentication describedlater with predetermined apparatus of the content provider 2, theservice provider 3 and the user home network 5.

The user managing portion 18 has a user registration database, and whenregistration is requested from the apparatus of the user home network 5,it retrieves the user registration database, and creates registrationinformation of registering the apparatus or refusing to register theapparatus or the like, in accordance with recorded contents of thedatabase. When the user home network 5 is constituted by a plurality ofapparatuses having functions that can be connected to the electronicdistribution service center 1, the user managing portion 18 defines anapparatus for which settlement is made in the registration informationand registers the settlement ID, and further defines processingoperations of purchasing contents, defines the range of apparatusesconstituting the user home network and defines information on suspensionof transactions, and sends the same to the predetermined apparatus(settlement-capable apparatus) of the user home network 5.

An example of the user registration database shown in FIG. 7 illustratesa registration state for each network group built in the user homenetwork 5, and in each group are recorded a group ID representing the IDof the group, and IDs specific to apparatuses constituting the homenetwork 5, and information of whether or not connection to theelectronic distribution service center 1 is possible, whether or notsettlement processing is possible, whether or not the contents can bepurchased, which apparatus performs settlement processing, whichapparatus requests the purchase of contents, whether or not registrationis possible and the like corresponding to the IDs (That is, for eachapparatus having the ID).

The group ID recorded in the user registration database is assigned foreach user home network, and settlement and update of information areperformed in this group unit. Therefore, in principle, a representativeapparatus in the group performs on its own communication, settlementprocessing and update of information with the electronic distributionservice center 1, and other in the group do not perform transactionsdirectly with the electronic distribution service center 1. The IDsrecorded in the user registration database are used for identifying anapparatus with the ID assigned individually for each apparatus.

Information of whether or not connection to the electronic distributionservice center 1 recorded in the user registration database is possibleshows whether or not the apparatus can be physically connected to theelectronic distribution service center 1, and even an apparatus recordedas connectable one is not connected to the electronic distributionservice center 1 in principle, unless it is considered to be capable ofsettlement processing (However, it may be connected to the electronicdistribution service center 1 as a proxy on a temporary basis if therepresentative apparatus in the group becomes unable to performsettlement processing operations for some reason). Also, the apparatusrecorded as an apparatus that is not connectable outputs accountinginformation and the like to the electronic distribution service center 1via the apparatus capable of settlement processing in the user homenetwork 5.

The information of whether or not settlement processing is possible,which is recorded in the user registration database, shows whether ornot the apparatus is capable of settlement processing. When the userhome network 5 is constituted by a plurality of apparatuses capable ofpurchasing content usage right and so on, one apparatuses of them thatis capable of settlement processing sends to the electronic distributionservice center 1 the accounting information, and the price informationand the handling policy, as required, of all the apparatuses registeredin the electronic distribution service center 1 of the user home network5, and receives the distribution key K_(d) and the registrationinformation from the electronic distribution service center 1 inresponse to completion of the settlement processing. In this way,processing at the electronic distribution service center 1 isalleviated, compared to performing processing for each apparatuses.

The information of whether or not purchase processing is possible, whichis recorded in the user registration database, represents whether or notthe apparatus is capable of purchasing content usage right. Theapparatus that is not capable of purchasing the right has proxy purchaseof usage right (which means that the apparatus has usage right purchasedby another apparatus and receives all the right. The supplier retains noright), redistribution (a system in which content usage right that hasbeen already purchased is purchased again in the same contents of usageright or the different contents of usage right. At this time, thesupplier retains no right. Redistribution is mainly intended to givediscounts. Only groups using the same settlement ID can receive benefitsof discounts. Because for processing in the group belonging to the samesettlement ID, a burden of processing on the electronic distributionservice center 1 is reduced, and thus the discount can be received forit), or management transfer (Although content playback right,particularly an open-ended playback right can be transferred, at aplayback right sender, which apparatuses is a playback right receiver ismanaged, and management transfer cannot be performed again if theplayback right is not given back, and at the playback right receiver,which apparatuses is the playback right sender is managed, andmanagement transfer cannot be performed at all, and the playback rightcan only be given back to the playback right sender which has given theplayback right) performed by another apparatus capable of purchasing theright to obtain the content usage right.

Now, using methods/usage right of contents and methods of purchasingcontents will be briefly described. For content using methods, there aretwo methods, a method in which those who manage and retain content usageright on their own use the contents, and a method in which they executeusage right retained by another apparatus to use the contents at theirown apparatuses. Content usage rights include open-ended playback right(The period and the number of times for playing back contents are notlimited, and contents are played back in the case of music contents, butcontents are run in the case of game programs and the like), playbackright with limit on time (The period over which the contents can beplayed is limited), playback right with limit on the number of times(The number of times for playing the contents is limited), open-endedreplication right (The period and the number of times for replicatingthe contents are not limited), replication right with limit on thenumber of times (The number of times for replicating the contents islimited) (The replication right includes replication right without copymanagement information, replication right with copy managementinformation (SCMS) and the like, and in addition, replication right fordedicated media and the like) (Also, there may be replication right withlimit on time), and management transfer right. And, methods ofpurchasing usage right include, in addition to normal purchase topurchase these usage rights directly, change of the usage right contentsto change the contents of usage right already purchased to othercontents, redistribution to purchase usage right separately based on theright already purchased by another apparatus, proxy purchase to haveusage right purchased by another apparatus as a proxy, and albumpurchase to purchase and manage a plurality of content usage rightstogether.

Information described by the proxy settler recorded in the userregistration database shows the ID of the apparatus that sends to theelectronic distribution service center 1 as a proxy the accountinginformation generated when content usage right is purchased.

Information described by proxy purchasers recorded in the userregistration database shows the ID of the apparatus that purchases usageright as a proxy for the apparatus that is not capable of purchasingusage right. However, in the case where all apparatuses in the groupthat are capable of purchase processing are proxy purchasers, record isnot necessarily made.

Information of whether or not registration is possible, which isrecorded in the user registration database is updated based on theinformation about payments in arrears, fraud and the like, which issupplied from accounting entities (such as banks) or credit cardcompanies. For the request for registration of an apparatus having an IDrecorded as registration impossible, the user managing portion 18refuses its registration, and after that, the apparatus of whichregistration is refused can neither purchase contents of this system norperform send and reception of data with other apparatuses in the userhome network 5. Also, in some cases, use of purchased contents may belimited (However, there may be cases where the apparatus is registeredagain after it is brought in the electronic distribution service center1 and the like and is checked). Also, in addition to “registrationpossible” and “registration impossible”, there may be state of“unfinished settlement” and “temporary halt”.

Also, the user managing portion 18 is supplied with accountinginformation, registration information, and price information andhandling policy as required from the apparatus of the user home network5, outputs the accounting information, the price information and thehandling policy to the background data managing portion 15, and suppliesthe distribution key K_(d) and the registration information to theapparatus of the user home network 5. Timing with which they aresupplied will be described later.

Now, registration information will be described using FIG. 8. Theregistration information in FIG. 8 has settlement IDs and signaturesadded thereto, in addition to the information of the user registrationdatabase, and only information of the same settlement group is includedtherein. The settlement ID represents an ID in the user informationdatabase (such as bank account numbers and credit card numbers) of theuser, which an account charging portion 19 and the banking portion 20use when performing settlement. Generation of signatures will bedescribed later.

Referring to FIG. 2 again, the account charging portion 19 calculatesbills to the user based on the accounting information, and the priceinformation and the handling policy as required, supplied from thebackground data managing portion 15, and supplies the result thereof tothe banking portion 20. It also provides the settlement information tothe user via the user managing portion 18 as required. The bankingportion 20 communicate with an external bank and the like not shown inthe figure based on the amount of money dispatched to the user, thecontent provider 2 and the service provider 3, and the amount of usagecharges to be collected, and carries out settlement processing.Furthermore, there may be cases where the banking portion 20 has all themoney of sales sent to the service provider 3, and the service provider3 distributes benefits based on money distribution information sent viathe benefit distributing portion 16. An auditing portion 21 audits thecorrectness of the accounting information, the price information and thehandling policy supplied from the apparatus of the user home network 5,based on the handling policy supplied from the content provider 2 andthe price information supplied from the service provider 3.

Also, processing by the auditing portion 21 include processing ofauditing the consistency of the amount of money added from the user homenetwork 5 with the total amount of money subjected to benefitdistribution or the amount of money sent to the service provider 3, andprocessing of making a audit on whether or not, for example, contentprovider ID and a service provider ID that cannot exist andunconceivable earnings, prices and the like are included in data in theaccounting information supplied from the apparatus of the user homenetwork 5.

The authenticating portion 22 generates a certificate of the public keysupplied from the key server 14 and sends the certificate to the contentprovider 2 and the service provider 3, and also generates the public keycertificate that is stored in a large capacity storing portion 68(described later) of the home server 51 and a small capacity storingportion 75 (described later) of the stationary apparatus 52 when theuser apparatus is manufactured. In the case where the content provider 2does not perform authoring of contents, as an alternation for it, thereare a content server 23 and content authoring 24 retaining contents.

FIG. 9 is a block diagram showing a configuration of functions of thecontent provider 2. A content server 31 stores contents to be suppliedto the user and supplies the contents to an electronic watermark addingportion 32. The electronic watermark adding portion 32 inserts contentprovider ID representing its property into the contents supplied fromthe content server 31 in the form of electronic watermark, and suppliesthe same to a compressing portion 33. The compressing portion 33compresses the contents supplied from the electronic watermark addingportion 32 by a system such as ATRAC (Adaptive Transform AcousticCoding) (Trademark), and supplies contents to a content encryptingportion 34. In this connection, for compression systems, MP3, AAC or thelike may be used in place of ATRAC. The content encrypting portion 34encrypts the contents compressed at the compressing portion 33 by acommon key encryption system such as DES (Data Encryption Standard),using a key (hereinafter, this key is referred to as contents keyK_(co)) supplied from a content key generating portion 35, and outputsthe result thereof to a signature generating portion 38.

The content key generating portion 35 generates a random number of apredetermined bit number to be the content key K_(co), and supplies tothe content encrypting portion 34 and a content key encrypting portion36 the random number from which bit strings called weak keys unsuitablefor encryption (for example, K_(co)=1E1E1E1E0E0E0E0E and1EE01EE00EF00EF0) are removed. When a cipher algorithm free from suchunsuitable bit strings is used, processing of removing unsuitable bitstrings is not required. The content key encrypting portion 36 encryptsthe key K_(co) by the common key encryption system, using the individualkey K_(i) supplied from the electronic distribution service center 1,and outputs the result thereof to the signature generating portion 38.In this connection, the encryption system is not limited to DES, and forexample, a public key cryptosystem such as RSA (Rivest, Shamir, Adleman)may be used.

DES is an encryption system that processes unencrypted 64 bits as oneblock using a common key of 56 bits. The process of DES is composed of aportion by which the unencrypted text is stirred and converted intoencrypted text (data stirring portion) and a portion by which a key usedin the data stirring portion (extended key) is generated from the commonkey (key processing portion). Since all the algorithms of DES arepublished, fundamental processing of the data stirring portion will bebriefly described, here.

First, the unencrypted 64 bits are divided into HO of upper 32 bits andL0 of lower 32 bits. The output of an F function having the L0 of lower32 bits stirred is calculated with an extended key K_(i) of 48 bitssupplied from the key processing portion and the L0 of lower 32 bits asinputs. The F function is constituted by two kinds of fundamentalconversions, “letter conversion” for replacing numeric values by apredetermined rule and “inversion” for changing bit positions by apredetermined rule. Next, the HO of upper 32 bits and the output of theF function are subjected to exclusive disjunction, and the resultthereof shall be L1. The L0 shall be H1.

The above described process is repeated sixteen times, based on the HOof upper 32 bits and the L0 of lower 32 bits, and the obtained resultingH16 of upper 32 bits and L16 of lower 32 bits are outputted as encryptedtexts. Decryption is achieved by following the aforesaid procedureinversely, using the common key used for the encryption.

Furthermore, this embodiment illustrates DES as a common key cipher, butany one of FEAL (Fast Encryption Algorithm), IDEA (International DataEncryption Algorithm and E2 proposed by NTT (Trademark) and AES(Advanced Encryption Standard) that is an American next encryptionstandard and the like may be adopted.

A handling policy generating portion 37 generates a content handlingpolicy, and outputs the handling policy to the signature generatingportion 38 in response to the contents to be encrypted. Furthermore, thehandling policy generating portion 37 may supply the generated handlingpolicy to the electronic distribution service center 1 via communicatingmeans not shown in the figure, and the data thereof is retained andmanaged. The signature generating portion 38 adds electronic signaturesto the encrypted contents, the encrypted content key K_(co), theencrypted individual key K_(i) and the handling policy, and sends thesame together with a certificate C_(cp) of the content provider 2 to theservice provider 3 (Hereinafter, the encrypted contents, the encryptedcontent key K_(co), the encrypted individual key K_(i) and the handlingpolicy to which the electronic signatures are added respectively usingthe secret key of the content provider 3 are referred to as contentprovider secure container). Furthermore, instead of adding a signatureto individual data separately, one signature may be added to the entiredata.

A cross authenticating portion 39 performs cross authentication with theelectronic distribution service center 1, and also performs crossauthentication with the service provider 3 as required prior to thesending of the content provider secure container to the service provider3. Since a memory 40A retains the individual key K_(i) that must beretained in secrecy by the content provider 2, it is desired that thememory 40A is a tamper resistant memory which is not vulnerable toreadout of data by a third party, but no particular limitation in termsof hardware is required (for example, it may be a hard disk placed in anentrance-controlled room, a hard disk of a password-controlled personalcomputer, or the like). Also, since a memory 40B only stores theindividual key K_(i) encrypted with the distribution key K_(d) and thepublic key certificate of the content provider 2, it may be any memorysuch as a normal memory (Because of the published information, itrequires no secrecy). Furthermore, the memory 40A and the memory 40B maybe integrated into one memory.

The signature is data that is attached to data or a certificatedescribed later to check tampering and authenticate an author, and iscreated by determining a hash value with a hash function based on thedata to be sent and using with this the secret key of the public keycipher.

The hash function and the signature will be described. The hash functionis a function that uses predetermined data to be sent as input,compresses it into data of a predetermined bit length, and outputs thedata as a hash value. The hash function has characteristics thatprediction of input from the hash value (output) is difficult, and manybits of the hash value are changed when 1 bit of the data inputted tothe hash function is changed, and it is difficult to locate input datahaving the same hash value. As the hash function, MD (Message Digest) 4,MD5, SHA (Secure Hash Algorithm)-1 are used.

The signature generating portion 38 of the sending device (contentprovider 2) that sends data and signatures, for example, generates thesignature using an elliptic curve cipher that is a public keycryptosystem. This processing will be described using FIG. 10 (EC-DSA(Elliptic Curve Digital Signature Algorithm), IEEE P1363/D). In Step S1,M is defined as a massage, p as a characteristic number, a and b ascoefficients of the elliptic curve (Elliptic curve: y²=x³+ax+b), G as abase point on the elliptic curve, r as a number of the G place, and K asa secret key (0<K_(a)<r). In Step S2, the random number u is generatedwith a random number generation unit so that the random number u is0<u<r. in Step S3, a coordinate with the base point multiplied by u iscalculated. Furthermore, addition and doubling on the elliptic curve aredefined as follows.P=(X ₀ , Y ₀), Q=(X ₁ , Y ₁), R=(X ₂ , Y ₂)=P+Q, wherein:when P γ QX ₂=λ² −X ₀ −X ₁Y ₂=λ(X ₀ −X ₂)−Y ₀λ=(Y ₁ −Y ₀)/(X ₁ −X ₀)when P=QX ₂=λ²−2X ₀Y ₂=λ(X ₀ −X ₂)−Y ₀λ=(3X ₀ ² +a)/2Y ₀.Using these equations, point G multiplies by u is calculated (A slow butmost understandable operation method is as follows. G, 2G, 4G ∃ ∃ arecalculated, u is subjected to binary development to add thereto(2^(i))×G corresponding to the place where 1 stands (i is a bit positioncounted from the LSB of u)). C=X_(V) mod r is calculated in Step S4, andwhether or not this value is 0 is determined in Step S5 and advancementto Step S6 is made if not 0, where the hash vale of the massage M iscalculated to determine f=SHA-1 (M). Next, d=[(f+cK_(s))/u] mod r iscalculated in Step S7, and whether or not d is 0 is determined in StepS8. If d is not 0, c and d are signature data. If assuming that r is of160 bit length, the signature data is of 320 bit length.

In Step S5, if c is 0, a return to Step S2 is made to generate a newrandom number again. In a similar way, if d is 0 in Step S8, a return toStep S2 is made to generate a random number again.

The receiving device (user home network 5) that has received thesignature and data verifies the signature using, for example, theelliptic curve cipher that is the public key cryptosystem. Thisprocessing will be described using FIG. 11. In Step S10, M is defined asa massage, p as a characteristic number, a and b as coefficients of theelliptic curve (Elliptic curve: y²=x³+ax+b), G as a base point on theelliptic curve, r as a number of the G place, and G and Ks G as secretkeys (0<K_(s)<r) (by the receiving device). In Step S11, whether or notthe signature data c and d satisfy 0<c and d<r is checked. If they aresatisfied, the hash value of the massage M is calculated in Step S12 todetermine f=SHA-1 (M). Next, h=1/d mod r is calculated in Step S13, andh₁=fh and h₂=ch mod r are calculated in Step S14. In Step S15, P=(X_(p),Y_(p))=h₁ G+h₂ K_(s) G is calculated using h₁ and h₂ that has beenalready calculated. A signature verification performer knows the publickey G and K_(s)G, thus being able to carry out this calculation as inthe case of Step S3. Then, whether or not P is an infinite remote pointis determined, and if not an infinite remote point, advancement to StepS17 is made (in fact, determination for the infinite remote point can bedone in Step S15. That is, when addition of P=(X, Y) and Q=(X, −Y) isperformed, the aforesaid λ can not be calculated, which shows that R isan infinite remote point) X_(p) mod r is calculated in Step S17 and iscompared with the signature data c. If this value matches the signaturedata, advancement to Step S18 is made to determine that the signature iscorrect.

In the case where it is determined that the signature is correct, it isunderstood that the received data is not tampered and is the data sentfrom the sending device retaining the secret key corresponding to thepublic key.

If the signature data c and d do not satisfy 0<c and d<r in Step S11,advancement to Step S19 is made. Also, if P is an infinite remote pointin Step S16, advancement to Step S19 is made. Furthermore, if the valueof X_(p) mod r does not match the signature data c in Step S17,advancement to Step S19 is also made. In Step S19, it is determined thatthe signature is incorrect.

In the case where it is determined that the signature is incorrect, itis understood that the received data is tampered and is not data sentfrom the sending device retaining the secret key corresponding to thepublic key.

Furthermore, in this embodiment, SHA-1 is used as a hash function, butany function of MD4, MD 5 and the like may be used. Also, generation andverification of the signature may be performed using the RSA cipher(ANSI X9. 31-1).

Now, encryption/decryption of the public key cryptosystem will bedescribed. In contrast to the common key cryptosystem in which the samekey (common key) is used in both encryption and decryption, in thepublic key cryptosystem, the key for use in encryption is different fromthat for use in decryption. In the case where the public keycryptosystem is used, even if one of the keys is published, the othercan be kept secret, and the key that may be published is referred to asa public key and the other that is kept secret is referred to as asecret key.

The elliptic curve encryption that is typical of public keycryptosystems will be described. In FIG. 12, M_(x) and M_(y) are definedas a message, p as a characteristic number, a and b as coefficients ofthe elliptic curve (Elliptic curve: y²=x³+ax+b), G as a base point onthe elliptic curve, r as a number of the G place, and G and K_(s) G assecret keys (0<K_(s)<r) in Step S 20. In Step S21, a random number u isgenerated so that the random number u is 0<u<r. In step S22, acoordinate V with the public key K_(s)G multiplied by u is calculated.Furthermore, since scalar multiplication on the elliptic curve uses asame method as that described for the signature generation, explanationabout it is omitted here. In Step S23, the X coordinate of V ismultiplied by M_(x) and the remainder is determined with p to define itas X₀. In Step S24, the Y coordinate of V is multiplied by M_(y) and theremainder is determined with p to define it as Y₀. Furthermore, if thelength of the message is smaller than the bit number of p, M_(y) uses arandom number, and M_(y) is discarded at the decrypting portion. uG iscalculated in Step S25, and the encrypted text uG (X₀, Y₀) is obtainedin Step S26.

Now, decryption of the public key cryptosystem will be described usingFIG. 13. In Step S30, uG and (X₀, Y₀) are defined as encrypted textdata, p as a characteristic number, a and b as coefficients of theelliptic curve (Elliptic curve: y²=x³+ax+b), G as a base point on theelliptic curve, r as a number of the G place, and K_(s) as a secret key(0<K_(s)<r). In Step S31, the encrypted data uG is multiplied by thesecret key K_(s). In Step S32, the X coordinate of (X₀, Y₀) is taken outof the encrypted data, and X₁=X₀/X_(v) mod p is calculated. In Step S33,Y₁=Y₀/Y_(v) mod p is calculated. And, in Step S34, X₁ is defined M_(x)and Y_(i) is defined as M_(y) to take out the massage. At this time, ifM_(y) is not defined as the message, Y₁ is discarded.

In this way, in the public key cryptosystem, the secret key is definedas K_(s) and the public key is defined as G, K_(s) G, thereby allowingthe key for use in encryption and the key for use in decryption to bedifferent from each other.

Also, as for another example of the public key cryptosystem, RSAencryption (Rivest, Shamir, Adleman) is known.

FIG. 14 is a block diagram showing a configuration of the function ofthe service provider 3. A content server 41 stores the public keycertificate of the content provider 2 and the encrypted contentssupplied from the content provider 2. For the public key certificate ofthe content provider 2, the signature in the certificate is verified ata certificate checking portion 42 with the public key of theauthenticator station 22, and if the verification is successful, thepublic key of the content provider 2 is supplied to a signatureverifying portion 43. At the signature verifying portion 43, thesignature of the content provider 2 for the handling policy stored inthe content server 41 is verified, using the public key of the contentprovider 2 which has just verified, and if the verification issuccessful, the handling policy is supplied to a pricing portion 44. Atthe pricing portion 44, price information is created from the handlingpolicy, and is supplied to a signature generating portion 45. At thesignature generating portion 45, the signature for the price informationis generated, using the secret key of the service provider 3 retained inthe tamper resistant memory not shown in the figure (similar to 40A inthe content provider 2) (Hereinafter, the content provider securecontainer and price information to which electronic signatures are addedusing the secret key of the service provider 3 is referred to as aservice provider secure container). Furthermore, in stead of addingsignatures to the price information, one signature may be generated forthe entire content provider secure container and price information. And,the service provider secure container, the public key certificate of thecontent provider 2 and the public key certificate of the serviceprovider 3 are supplied to the user home network 5 via the network 4(FIG. 1). A cross authenticating portion 46 performs crossauthentication with the electronic distribution service center 1, andalso performs cross authentication with the content provider asrequired, and with the user home network 5 if possible via the internet,cable communication and the like.

FIG. 15 is a block diagram showing a configuration of the user network5. The home server 51 receives a secure container containing contentsfrom the service provider 3 via the network 4, purchases content usageright, and executes the right to perform decryption, extension, playbackand replication of contents.

A communicating portion 61 communicates with the service provider 3 orthe electronic distribution service center 1 via the network 4, andreceives or sends predetermined information. A host controller 62receives a signal from inputting means 63, displays a predeterminedmessage and the like on displaying means 64, performs processing such asthe purchase of content usage right using a cipher processing portion65, supplies the encrypted contents read out from a large capacitystoring portion 68 to an extending portion 66, and stores the encryptedcontents and the like in the large capacity storing portion 68. Theinputting means 63 sends a signal from a remote controller and inputdata from an input button to the host controller 62. The displayingmeans 64, which is constituted by a display device such as a liquidcrystal display, gives instructions to the user and displaysinformation. The inputting means 63 and the displaying means 64 becomesa touch panel-type liquid crystal display as required, and may beintegrated into one device. The cipher processing portion 65 performscross authentication with the cipher processing portion of the serviceprovider 3, the electronic distribution service center 1 or otherapparatuses to purchase content usage right, and performsencryption/decryption of predetermined data, manages an external memoryretaining the content key K_(co) and license condition information, andstores the distribution key K_(d), accounting information and the like.The extending portion 66 performs cross authentication with the cipherprocessing portion 65 to receive the content key K_(co), decrypts theencrypted contents supplied from the host controller 62, using thiscontent key K_(co), extends the contents with a predetermined systemsuch as ATRAC, and inserts a predetermined electronic watermark into thecontents. The external memory 67 is constituted by a nonvolatile memorysuch as a flash memory and a volatile memory with backup power, andstores the content key K_(co) encrypted with the save key K_(save) andlicense condition information. The large capacity storing portion 68 isa storage device such as a HDD and an optical memory disk, and storesthe content provider secure container and the service provider securecontainer (the encrypted contents, the content key K_(co) encrypted withthe individual key K_(i), the individual key K_(i) encrypted with thedistribution key K_(d), the handling policy, price information and theirsignatures), the public key certificate, registration information andthe like.

The cipher processing portion 65 performing cross authentication withthe electronic distribution service center 1, purchasing content usageright and generating accounting information, carrying outdecryption/encryption of predetermined data, managing the externalmemory retaining the content key K_(co) and license conditioninformation, and storing the distribution key K_(d), accountinginformation and the like is constituted by a controlling portion 91, amemory module 92, a registration information checking module 93, apurchase processing module 94, a cross authentication module 95, anencryption/decryption module 96, and an external memory controllingportion 97. This cipher processing portion 65 is composed of a cipherprocessing only IC of single chip, and has a multiple layer structure,and the memory cell therein is sandwiched between dummy layers such asaluminum layer, and also the range of the operating voltage or frequencyis narrow, and so on, thus making it difficult to read out dataillegally from the outside, as a property (tamper resistance).

The controlling portion 91 controls each module in accordance with acommand from the host controller 62, and sends the result from eachmodule to the host controller 62. The memory module 92 stores accountinginformation supplied from the purchase processing module 94 and datasuch as the distribution key K_(d), and supplies data such as thedistribution key K_(d) when other function blocks carry outpredetermined processing. The registration information checking module93 checks registration information supplied from the host controller 62,and determines whether or not cross authentication with anotherapparatus in the user home network 5 is performed, whether or notaccounting information is passed, and whether or not redistribution ofthe contents is performed. The purchase processing module 94 newlygenerates license condition information from the handling policy andprice information contained in the secure container received from theservice provider 3 (and in some cases, license condition informationalready stored) and outputs the license condition information to theexternal memory controlling portion 97 or the controlling portion 91,and generates accounting information and outputs the same to the memorymodule 92. The cross authentication module 95 carries out crossauthentication with the electronic distribution service center 1, andthe cipher processing portion and the extending portion 66 of otherapparatuses in the home network 5, and generates a temporary keyK_(temp) (session key) and supplies the same to theencryption/decryption module 96, as required.

The decryption/encryption module 96 is constituted by a decryption unit111, an encryption unit 112, a random number generation unit 113, asignature generation unit 114 and a signature verification unit 115. Thedecryption unit 111 decrypts the individual key K_(i) encrypted with thedistribution key K_(d), and decrypts the content key K_(co) encryptedwith the individual key K_(i), and decrypts various kinds of dataencrypted with the temporary key K_(temp). The encryption unit 112encrypts the decrypted content key K_(co) with the save key K_(save)retained in the memory module 92 and outputs the same to the externalmemory controlling portion 97 via the controlling portion 91, andencrypts various kinds of data with the temporary key K_(temp). Therandom number generation unit 113 generates a random number of apredetermined digit and supplies the random number to the crossauthentication module 95 and the signature generation unit 114. Thesignature generation unit 114 calculates the hash value of the messagesupplied from the controlling portion 91, and generates signature datausing the random number supplied from the random generation unit 113 andoutputs the signature data to the controlling portion 91. The signatureverification unit 115 determines whether or not the signature is correctfrom the message and signature data supplied from the controllingportion, and outputs the result thereof to the controlling portion 91.Furthermore, a method for generating/verifying a signature is similar tothose described in terms of FIG. 10 and FIG. 11.

The external memory controlling portion 97 controls the external memory67 to perform read and write of data, and carries out data verificationas to whether or not the data in the external memory is tampered. FIG.16 is a block diagram for explaining operations of the external memorycontrolling portion 97. In FIG. 16, N tamper preventing hash values(Integrity Check Values) are stored in the memory module 92. Theexternal memory 67 is divided into N blocks of data areas, and M pairsof content keys K_(co) and license condition information can be writtenin each data area. Also, in the external memory 67, other areas that canbe freely used are prepared. The tamper preventing hash value ICV is ahash value for all the data in the external memory 67 correspondingthereto. Procedures of reading and writing of the external memory willbe described later, using flowcharts.

The extending portion 66 (FIG. 15) decrypting and extending contents andadding a predetermined electronic watermark thereto is constituted by across authentication module, a key decryption module 102, a decryptionmodule 103, an extension module 104, an electronic watermark addingmodule 105 and a memory module 106. The cross authentication module 101performs cross authentication with the cipher processing portion 65, andoutputs the temporary key K_(temp) to the key decryption module 102. Thekey decryption module 102 decrypts with the temporary key K_(temp) thecontent key K_(co) which is read from the external memory 67 andencrypted with the temporary key K_(temp), and outputs the content keyK_(co) to the decryption module 103. The decryption module 103 decryptsthe contents recorded in the large capacity storing portion 68 with thecontent key K_(co), and outputs the same to the extension module 104.The extension module 104 further extends the decrypted contents with asystem such as ATRAC, and outputs the contents to the electronicwatermark adding module 105. The electronic watermark adding module 105inserts the individual ID of the cipher processing portion subjected topurchase processing into the contents, using an electronic watermarktechnique, outputs the same to a speaker not shown in the figure, andhas music played back.

In the storage module 106 is stored key data that is needed for crossauthentication with the cipher processing portion 65. Furthermore, it isdesired that the extending portion 66 has tamper resistance.

The external memory 67 stores license condition information which isgenerated when the right is purchased at the purchase processing module94 and the content key K_(co) encrypted with the save key K_(save). Thelarge capacity storing portion 68 records the secure container, thepublic key certificate, registration information and the like suppliedfrom the service provider.

The stationary apparatus 52 recording and playing back the contentssupplied from the service provider 3 in a recording medium 80 such as aninserted optical disk and semiconductor memory are constituted by acommunicating portion 71, a host controller 72, a cipher processingportion 73, an extending portion 74, a small capacity storing portion75, a recording and playing portion 76, inputting means 77, displayingmeans 78, an external memory 79 and the recording medium 80. Thecommunicating portion 71 has same functions as those of thecommunicating portion 61, and explanations thereof are thus omitted. Thehost controller 72 has same functions as those of the host controller62, and explanations thereof are thus omitted. The cipher processingportion 73 has same functions as those of the cipher processing portion65, and explanations thereof are thus omitted. The extending portion 74has same functions as those of the extending portion 66, andexplanations thereof are thus omitted. Although having same functions asthose of the large capacity storing portion 68, the small capacitystoring portion 75 does not store the contents themselves, but storesonly the public key certificate and registration information. Therecording and playing portion 76 is provided therein with the recordingmedium 80 such as the optical disk and the semiconductor memory, recordscontents in the recording medium 80, and outputs the read contents tothe extending portion. The inputting means 77 has same functions asthose of the inputting means 63, and explanations thereof are thusomitted. The displaying means 78 has same functions as those of thedisplaying means 64, and explanations thereof are thus omitted. Theexternal memory 79 has same functions as those of the external memory67, and explanations thereof are thus omitted. The recording medium 80is, for example, a MD (Mini Disk: Trademark) or an electronicdistribution-only storing medium (memory stick using a semiconductormemory: Trademark).

A portable device 53, a device that the user carries and uses forplaying back music with enjoyment, is constituted by a communicationportion 81, a host controller 82, a cipher processing portion 83, anextending portion 84 and an external memory 85. The communicatingportion 81 has same functions as those of the communicating portion 61,and explanations thereof are thus omitted. The host controller 82 hassame functions as those of the host controller 62, and explanationsthereof are thus omitted. The cipher processing portion 83 has samefunctions as those of the cipher processing portion 65, and explanationsthereof are thus omitted. The extending portion 84 has same functions asthose of the extending portion 66, and explanations thereof are thusomitted. The external memory 85 has same functions as those of theexternal memory 67, and explanations thereof are thus omitted. However,these memories are not limited only to semiconductor memories, but mayany of HDDs, rewritable optical disks and the like.

FIG. 17 is a block diagram of an electronic distribution-only recordingmedium. A recording medium 120 storing electronically distributedcontents is constituted by a communicating portion 121, a cipherprocessing portion 122 and an external memory 123. The communicatingportion 121 sends data to and receives data from the recording andplaying portion 76 of the stationary apparatus 52 (FIG. 15). The cipherprocessing portion 122 performing cross authentication with thestationary apparatus 52, receiving content usage right,decrypting/encrypting predetermined data, managing the external memorythat retains the content key K_(co), license condition information andthe like, and further storing the save key K_(save) and the like has aconfiguration having same functions as those of the cipher processingportion 65, and explanations thereof are thus omitted. The externalmemory 123 stores the content key K_(co) encrypted with the save keyK_(save), the contents encrypted with the content key K_(co) and licensecondition information defining conditions for using the contents, andthe handling policy and price information as required.

The electronic distribution-only recording medium 120 is different inusage from the recording medium described with the stationary apparatus52. The normal recording medium 80 is a substitute for the largecapacity storing portion 68 of the home server 51 while the electronicdistribution-only medium 120 is not different from a portable devicethat does not have an extending portion. An apparatus such as thestationary apparatus 52 having the extending portion 74 is thus neededfor playing back contents, but in terms of functions such as receipt ofcontents and management of contents, processing as in the case of thehome server 51 and the portable device 53 can be performed. Due to thesedifferences, the contents recorded in the normal medium 80 can not beplayed back by apparatuses other than those that have recorded thecontents, but the contents recorded in the electronic distribution-onlyrecording medium 120 can be played back by apparatuses other than thosethat have recorded the contents. That is, since the normal recordingmedium 80 includes therein only the contents encrypted with the contentkey K_(co), contents can not be played back with apparatuses other thanthose having (recording) the content key K_(co). On the other hand, inthe electronic distribution-only recording medium 120, not only thecontents encrypted with the content key K_(co) but also the content keyK_(co) which is encrypted with the save key K_(save) specific to theelectronic distribution-only recording medium 120 is retained, thusenabling other apparatuses to play back the contents.

That is, cross authentication between a cross authentication module 128of the cipher processing portion 122 and a cross authentication module(not shown) of the cipher processing portion 73 of the stationaryapparatus 52 is performed, followed by decrypting the content key K_(co)with a save key K_(save) specific to the dedicated recording medium,encrypting the content key K_(co) with the shared temporary keyK_(temp), and sending the same to the cipher processing portion 73 toperform playing.

FIG. 18 is a block diagram showing a data storage state in eachapparatus. In the home server 51, individual IDs for identifyingapparatuses (same as those for identifying the cipher processingportion), IDs for settlement that are used when accounting is performed(for which individual IDs may be substituted as required, and which maybe unnecessary because of being included in registration information),secret keys different for each apparatus, the save key K_(save), thepublic key of the electronic distribution service center 1 that is usedwhen performing cross authentication with the electronic distributionservice center 1 (which is unnecessary if there is the public keycertificate of the electronic distribution service center 1), the publickey of the authenticator station 22 for verifying the public keycertificate, and the common key which is used when performing crossauthentication with the extending portion 66 in the memory module 92 inthe cipher processing portion 65. These data are data that are stored inadvance when apparatuses are manufactured. In contrast, the distributionkey K_(d) distributed periodically from the electronic distributionservice center 1, accounting information written when purchaseprocessing is performed, the content key K_(co) retained in the externalmemory 67, and the hash value for checking tamper of license conditioninformation are data that are stored after use of the apparatus isstarted, and these data are also stored in the memory module 92. In thememory module 106 in the extending portion 66, individual IDs foridentifying the extending portion and the common key which is used whencross authentication is performed with the cipher processing portion 65are stored in advance when the apparatus is manufactured. Furthermore,for making the cipher processing portion 65 and the extending portion 66correspond with each other on an one-to-one basis, each memory modulemay have each other's ID (Cross authentication is performed with thecommon key, and eventually exchange can be performed only with thecorresponding cipher processing portion and extending portion. However,the process may be cross authentication of public key cryptosystem. Thekey stored at this time is not the common key, but secret key specificto the extending portion 66).

In the external memory 67 are stored the content key K_(co) encryptedwith the save key K_(save) that is used when the contents are decrypted,and the license condition information showing conditions when thecontent key K_(co) is used. Also, in the large capacity storing portion68 are stored the certificate of the public key corresponding to thesecret key different for each apparatus in the memory module 92 (publickey certificate of the apparatus), registration information, the contentprovider secure container (the contents encrypted with the content keyK_(co) and the signature thereof, the content key K_(co) encrypted withthe individual key K_(i) and the signature thereof, the individual keyK_(i) encrypted with the distribution key K_(d) and the signaturethereof, and the handling policy and the signature thereof), the serviceprovider secure container (price information and the signature thereof),the public key certificate of the content provider 2 and the public keycertificate of the service provider 3.

The portable device 53 is provided with the cipher processing portion 83same as the cipher processing portion 65 retained by the home server 51,and the external memory 85 same as the external memory 67 (Those withsame internal data are omitted. For example, the extending portion).However, the internally retained data are slightly different as shown inthe figure. As for data retained by the memory module in the cipherprocessing portion 83 are stored individual IDs for identifyingapparatuses, the secret key different for each apparatus, the save keyK_(save), the public key of the electronic distribution service center1, which is used when performing cross authentication with theelectronic distribution service center 1 (However, it is not necessaryto have all procedures with the electronic distribution service center 1performed by the home server 51 as a proxy), the public key of theauthenticator station 22 for verifying the public key certificate, andthe common key for performing cross authentication with the extendingportion 84. These data are data that are stored in advance whenapparatuses are manufactured. Also, the content key K_(co) retained inthe external memory 85 and the hash value for checking tamper of licensecondition information, and the ID for settlement as required, thedistribution key K_(d) and (part of) registration information (In thecase where purchase processing is not performed, the ID for settlementand the distribution K_(d) are not required) are data that are storedafter use of the apparatus is started, and these data are also stored(In the case where purchase processing is performed, accountinginformation is also stored). In the external memory 85 are stored thepublic key certificate corresponding to the secret key different foreach apparatus, which exists in the cipher processing portion 83, thecontents encrypted with the content key K_(co) and the signature thereof(In addition, the content key K_(co) encrypted with the individual keyK_(i) and the signature thereof as required, the individual key K_(i)encrypted with the distribution key K_(d) and the signature thereof, thehandling policy and the signature thereof as required, and priceinformation and the signature thereof may also be stored), the contentkey K_(co) encrypted with the save key K_(save) that is used when thecontents are decrypted, and license condition information showingconditions when the contents are used. Also, the public key certificateof the content provider 2 and the public key certificate of the serviceprovider 3 are also stored as required.

The stationary apparatus 52 is provided with the recording medium 80, inaddition to the configuration of the home server 51. The recordingmedium 80 may be a normal MD and CD-R, or may be an electronicdistribution-only recording medium. In the case of the former, data tobe recorded are decrypted contents with a copy prohibition signal addedthereto but of course, encrypted contents may also be contained (Thecontent key K_(co) encrypted with the save key K_(save) may also bestored together. At this time, the apparatus capable of playing backcontents is only the apparatus storing the contents. For the save keyK_(save) is different for each apparatus).

Also, FIG. 19 can be considered as the recording medium. In theelectronic distribution-only recording medium 120, individual IDs of therecording medium, the secret key different for each recording medium,the certificate of the public key corresponding to this secret key(which may be stored in the external memory 123), the save key K_(save)used for encrypting the content key K_(co) (generally, different forrecording medium), the public key of the electronic distribution servicecenter 1 (needless if exchange with the center is not performed, orthere exist the public key certificate of the electronic distributionservice center 1 in the external memory 123), the public key of theauthenticator station, the hash value for checking tamper of theexternal memory 123 and (part of) registration information are stored ina memory module 125 existing in the cipher processing portion 122. Inthe external memory 123, contents encrypted with the content key K_(co)(and the signature thereof), the content key K_(co) encrypted with thesave key K_(save) and license condition information are stored, and thehandling policy (and the signature thereof), price information (and thesignature thereof), the public key certificate of the content provider 2and the public key certificate of the service provider 3 are stored asrequired.

FIG. 20 and FIG. 21 explain information sent and received among theelectronic distribution service center 1, the content provider 2, theservice provider 3 and the user home network 5. The content provider 2adds the public key certificate of the content provider 2 (describedlater in detail) to the content provider secure container (describedlater in detail) and sends the same to the service provider 3. Also, thecontent provider 2 sends the handling policy and the signature thereof,and the certificate of the content provider 2 to the electronicdistribution service center 1 as required.

The service provider 3 verifies the public key certificate of thecontent provider 2, obtains the public key of the content provider 2,and verifies the received signature of the content provider securecontainer (There may be cases where only the handling policy isverified). After the signature is verified successfully, the handlingpolicy is taken from the content provider secure container, priceinformation is generated on the basis of this handling policy, and theprice information is provided with the signature to define the same asthe service provider secure container (described later in detail). Thecontent provider secure container, the service provider securecontainer, the public key certificate of the content provider 2 and thepublic key certificate of the service provider 3 (described later indetail) are sent to the user home network 5. Also, the service provider3 sends the price information and the signature as required thereof andthe public key certificate of the service provider 3 to the electronicdistribution service center 1.

The user home network 5 verifies the received secure container, and thenperforms purchase processing based on the handling policy and priceinformation included in the secure container, generates accountinginformation and stores the same in the memory module in the encryptingprocessing portion, generates license condition information, decryptsthe content key K_(co) and re-encrypts the same with the save keyK_(save), and stores the license condition information and there-encrypted content key K_(co) in the external memory 67. And, inaccordance with the license condition information, the content keyK_(co) is decrypted with the save key K_(save) and the contents aredecrypted with this key for use. The accounting information is encryptedwith the temporary key K_(temp) in predetermined timing, and is providedwith the signature, and is sent to the electronic distribution servicecenter 1 together with the handling policy and price information asnecessary.

The electronic distribution service center 1 calculates a usage chargebased on the accounting information and the price information, andcalculates benefits of the electronic distribution service center 1, thecontent provider 2 and the service provider 3, respectively. Theelectronic distribution service center 1 further compares the handlingpolicy received from the content provider 2, the price information andas required, the handling policy received from the service provider 3,and the handling policy and as required, the price information receivedfrom the user home network 5 and performs monitoring as to whether ornot a fraud such as tampering with the handling policy or illegal priceaddition has occurred in the service provider 3 or the user home network5, and so on.

Furthermore, the electronic distribution service center 1 sends thepublic key certificate of the content provider to the content provider2, and sends the public key certificate of the service provider to theservice provider 3. Also, for embedding in each apparatus the public keycertificate created in accordance with each apparatus during factoryshipment, data with respect to the public key certificate of eachapparatus is delivered to the factory.

FIG. 22 explains the content provider secure container. The contentprovider secure container 1A includes therein contents encrypted withthe content key K_(co) and the signature thereof, the content key K_(co)encrypted with the individual key K_(i) and the signature thereof, theindividual key K_(i) encrypted with the distribution key K_(d) and thesignature thereof, and the handling policy and the signature thereof.The signature is data generated by using the secret key K_(scp) of thecontent provider 2 with the hash value generated by applying the hashfunction to each data. Furthermore, in the case of FIG. 22, signaturesare generated and added separately for key data (the content key K_(co)encrypted with the individual key K_(i), the individual key K_(i)encrypted with the distribution key K_(d)), but one signature may begenerated and added for a collection of each data (the content key K_(c)encrypted with the individual key K_(i), the individual key K_(i)encrypted with the distribution key K_(d)). In this way, the key datathat are always used integrally are integrated into one, to which onesignature is added, thereby making it possible to verify the signatureat a time.

FIG. 23 explains another example of the content provider securecontainer. The content provider secure container 1B includes thereincontents encrypted with the content key K_(co) and signature thereof,the content key K_(co) encrypted with the individual key K_(i) and thesignature thereof, and the handling policy and the signature thereof.

FIG. 24 explains another example of the content provider securecontainer. The content provider secure container 1C includes the reincontents encrypted with the content key K_(co), the content key K_(co)encrypted with the individual key K_(i), the individual key K_(i)encrypted with the distribution key K_(d), the handling policy and thesignature. The signature is data that is generated by using the secretkey K_(scp) of the content provider 2 with the hash value generated byapplying the hash function to the contents encrypted with the contentkey K_(co), the content key K_(co) encrypted with the individual keyK_(i), the individual key K_(i) encrypted with the distribution keyK_(d), and the handling policy.

FIG. 25 explains another example of the content provider securecontainer. The content provider secure container 1D includes thereincontents encrypted with the content key K_(co), the content key K_(co)encrypted with the individual key K_(i), the handling policy and thesignature. The signature is data generated by using the secret keyK_(scp) of the content provider 2 with the hash value generated byapplying the hash function to the contents encrypted with the contentkey K_(co), the content key K_(co) encrypted with the individual keyK_(i), and the handling policy.

FIG. 26 explains the public key certificate of the content provider 2.The public key certificate 2A of the content provider 2 includes aversion number of the public key certificate, a serial number of thepublic key certificate that the authenticator station assigns to thecontent provider 2, an algorithm and a parameter used for the signature,the name of the authenticator station, an expiration date of the publickey certificate, the name of the content provider 2, a public keyK_(pcp) of the content provider 2, and the signature. The signature isdata generated by using the secret key K_(sca) of the authenticatorstation with the hash value generated by applying the hash function tothe version number of the public key certificate, the serial number ofthe public key certificate that the authenticator station assigns to thecontent provider 2, the algorithm and the parameter used for thesignature, the name of the authenticator station, the expiration date ofthe public key certificate, the name of the content provider 2, and thepubic key K_(pcp) of the content provider 2.

FIG. 27 explains another example of the public key certificate of thecontent provider 2. The public key certificate 2B of the contentprovider 2 includes the version number of the public key certificate,the serial number of the public key certificate that the authenticatorstation assigns to the content provider 2, the algorithm and theparameter used for the signature, the name of the authenticator station,the expiration date of the public key certificate, the name of thecontent provider 2, the public key K_(pcp) of the content provider 2,the individual key K_(i) encrypted with the distribution key K_(d), andthe signature. The signature is data generated by using the secret keyK_(sca) of the authenticator station with the hash value generated byapplying the hash function to the version number of the public keycertificate, the serial number of the public key certificate that theauthenticator station assigns to the content provider 2, the algorithmand the parameter used for the signature, the name of the authenticatorstation, the expiration date of the public key certificate, the name ofthe content provider 2, the public key K_(pcp) of the content provider2, and the individual key K_(i) encrypted with the distribution keyK_(d).

FIG. 28 explains still another example of the public key certificate ofthe content provider 2. The public key certificate 2C of the contentprovider 2 includes the version number of the public key certificate,the serial number of the public key certificate that the authenticatorstation assigns to the content provider 2, the algorithm and theparameter used for the signature, the name of the authenticator station,the expiration date of the public key certificate, the name of thecontent provider 2, the public key K_(pcp) of the content provider 2, apredetermined kind of data with part of the individual key K_(i)encrypted with the distribution key K_(d), and the signature. Thesignature is data generated by using the secret key K_(sca) of theauthenticator station with the hash value generated by the applying thehash function to the version number of the public key certificate, theserial number of the public key certificate that the authenticatorstation assigns to the content provider 2, the algorithm and theparameter used for the signature, the name of the authenticator station,the expiration date of the public key certificate, the name of thecontent provider 2, the public key K_(pcp) of the content provider 2, apredetermined kind of data with part of the individual key K1 encryptedwith the distribution key K_(d).

FIG. 29 explains the service provider secure container. The serviceprovider secure container 3A consists of price information and thesignature. The signature is data generated by using the secret keyK_(ssp) of the service provider 3 with the hash value generated byapplying the hash function to the price information as required.

FIG. 30 explains another example of the service provider securecontainer. The service provider secure container 3B includes the contentprovider secure container, price information and the signature. Thesignature is data generated by using the secret key K_(ssp) of theservice provider 3 with the hash value generated by applying the hashfunction to the content provider secure container and the priceinformation.

FIG. 31 explains the public key certificate of the service provider 3.The public key certificate 4A of the service provider 3 includes theversion number of the public key certificate, the serial number of thepublic key certificate that the authenticator station assigns to theservice provider 3, the algorithm and the parameter used for thesignature, the name of the authenticator station, the expiration data ofthe public key certificate, the name of the service provider 3, thepublic key K_(psp) of the service provider 3, and the signature. Thesignature is data generated by using the secret key K_(sca) of theauthenticator station with the hash value generated by applying the hashfunction to the version number of the public key certificate, the serialnumber of the public key certificate that the authenticator stationassigns to the service provider 3, the algorithm and the parameter usedfor the signature, the name of the authenticator station, the expirationdata of the public key certificate, the name of the service provider 3,and the public key K_(psp) of the service provider 3.

FIG. 32 explains the public key certificate of a User device. The publickey certificate 5A of the User device includes the version number of thepublic key certificate, the serial number of the public key certificatethat the authenticator station assigns to the User device (to beprecise, the cipher processing portion (a dedicated IC chip)), thealgorithm and the parameter used for the signature, the name of theauthenticator station, the expiration date of the public keycertificate, the name of the User device, the public key K_(pu) of theUser device, and the signature. The signature is data generated by usingthe secret key K_(sca) of the authenticator station with the hash valuegenerated by applying the hash function to the version number of thepublic key certificate, the serial number of the public key certificatethat the authenticator station assigns to the User device, the algorithmand the parameter used for the signature, the name of the authenticatorstation, the expiration date of the public key certificate, the name ofthe User device, and the public key K_(pu) of the User device.

FIG. 33 and FIG. 34 show data formats of the handling policy, thehandling policy is generated by the content provider 2 for each ofsingle contents and each of album contents, and the user home network 5shows the contents of right that can be purchased.

In the data of the handling policy for the single contents (FIG. 33) arestored a data type, the type of the handling policy, the expiration dateof the handling policy, the ID of the contents, the ID of the contentprovider, the ID of the handling policy, the version of the handlingpolicy, an area code, usable apparatus conditions, usable Userconditions, the ID of the service provider, generation managementinformation, the number of rules including purchasable usage rightindicated by the handling policy, address information indicating theposition for storing the rule, the rule stored at the position indicatedby the address information, the public key certificate, and thesignature.

And, the rule is constituted by a rule number added as a referencenumber for each usage right, a usage right content number indicating thecontents of usage right, its parameter, a minimum selling price, anamount of benefits of the content provider, a rate of benefits of suchcontent provider, a data size, and sending information.

Also, in the data of the handling policy for the album contents (FIG.34) are stored a data type, the type of the handling policy, theexpiration date of the handling policy, the ID of the album, the versionof the handling policy, the ID of the content provider, the ID of thehandling policy, an area code, usable apparatus conditions, usable Userconditions, the ID of the service provider, the number of handlingpolicies of the single contents constituting the album, addressinformation indicating the position for storing the handling policy ofthe single contents, data packets of the handling policy of the singlecontents stored at the position indicated by such address information,generation management information, the number of rules includingpurchasable usage right indicated by such handling policy, addressinformation indicating the position for storing the rule, the rulestored at the position indicated by the address information, the publickey certificate, and the signature.

And, as in the case of the rule of the handling policy of the singlecontents, the rule is constituted by a rule number added as a referencenumber for each usage right, a usage content number, a parameter, aminimum selling price, an amount of benefits of the content provider, arate of benefits of such content provider, a data size, and sendinginformation.

In the handling policy, the data type shows that the data is data of thehandling policy, and the type of the handling policy shows that thehandling policy is a handling policy of the single or album contents.The expiration of the handling policy indicates the time period overwhich the handling policy is used, by a date on which the time periodends, or by the number of consecutive days between the specified datewhen starting to use the handling policy and the date when theexpiration date is reached. The ID of the contents and the ID of thealbum show the purchasable single contents and album contents indicatedby the handling policy, and the ID of the content provider representsthe ID of the content provider 2 that has defined the handling policy.

Also, the ID of the handling policy is for identifying the handlingpolicy, and is used for identifying the handling policy, for examplewhen a plurality of handling policies are defined for the same contents,and so on. The version of the handling policy shows the revisioninformation of the handling policy revised in accordance with the periodover which the handling policy is used. Thus, the handling policy ismanaged using the ID of the handling policy and the version of thehandling policy.

The area code indicates areas where the handling policy can be used bycoding them, and to the area code may be assigned a code indicatingspecific areas, which defines areas where the handling policy can beused, and a code allowing the handling policy to be used in all areas.The usable apparatus condition represents conditions of apparatusescapable of using the handling policy, and the usable User conditionrepresents conditions of the user capable of using the handling policy.

The ID of the service provider represents the ID of the service provider3 that uses the handling policy, the ID of the service providercomprises the ID of the specific service provider 3 defining the serviceprovider 3 capable of using the handling policy, and the ID allowing thehandling policy to be used by a plurality of (all) service providers.

Furthermore, the generation management information shows a maximumnumber of instances where the contents can be repurchased. The signatureis added to the handling policy from which the signature is removed,that is entire range of from the data type to the public keycertificate. The algorithm and the parameter used when the signature iscreated and the key for use in verification of the signature areincluded in the public key certificate.

Also, in the rule, the usage right content number is a number added foreach usage right contents, and the parameter represents a parameter ofthe right contents. The minimum selling price represents a minimumselling price when the single and album contents are sold in accordancewith the usage right contents, and the amount and rate of benefits ofthe content provider represent an amount of benefits and a rate ofbenefits to the selling price, which the content provider 2 can obtainwhen the single contents and album contents are purchased. The data sizerepresents a data size of sending information, and such sendinginformation is constituted by points to be added to the user from thepurchase of usage right, defined by the content provider, mileinformation consisting of discounts appropriate to such points, andvarious kinds of information defined by the content provider 2 asnecessary.

Here, in the handling policy of the album contents, a plurality of rulesrepresents purchase patterns of the album contents. Also, in thehandling policy of a plurality of single contents stored in the handlingpolicy of the album contents, rules stored in the handling policyrepresent purchase patterns of single contents in the album, in whicheach corresponding single contents can be purchased separately as asingle music out of the album, or the corresponding single contents canbe purchased only as an album music (That is, it can be purchased onlytogether with other contents as an album).

Thus, the handling policy of the album contents are defined so thateither the album contents or the single contents sellable as singlemusic can be selected and purchased, such that the album contents arepurchased based on rules of the handling policy of the album contents,or the single contents are purchased as a single music based on rules ofthe handling policy of the single contents.

Also, in the handling policy of the album contents, the signature isadded to the whole, whereby a tamper check for the handling policy ofeach single contents together with the handling policy of the albumcontents can be performed only by verifying the signature, withoutverifying the signature of the handling policy of the single contentsstored in the handling policy of the album contents, thus making itpossible to simplify verification of the signature.

In this connection, in the handling policy of the single and albumcontents can be stored presence or absence of verification of thesignature representing whether or not verification of the signature forcontents is carried out, as required. This is because the amount of dataof the contents is relatively large and much time is needed forverifying the signature, and in the case where information about thepresence or absence of the verification of the signature related to thehandling policy is stored, the verification of the signature of thecontents is performed in accordance with such information, or suchverification is not carried out.

Also, in the handling policy of the album contents, the handling policyof a plurality of single contents constituting the album is stored, butthe handling policy of these plurality of single contents is notnecessarily stored.

Furthermore, in the handling policy of the single and album contents,since the amount and rate of benefits of the content provider may bemanaged together by the electronic distribution service center 1, theamount and rate of benefits of the content provider may be removed tomake a configuration, as shown in FIG. 35 and FIG. 36.

FIG. 37 and FIG. 38 show data formats of price information, and theprice information, which is generated for each handling policy of thesingle contents and each handling policy of the album contents givenfrom the content provider 2 in the service provider 3, represents theprices of the single contents and album contents.

In the data of price information for the single contents (FIG. 37) arestored a data type, the type of price information, the expiration dateof the price information, ID of the contents, ID of the serviceprovider, ID of the price information, the version of the priceinformation, an area code, usable apparatus conditions, usable Userconditions, the ID of the content provider, the ID of the handlingpolicy to which such price information is added, the number of rulesincluding purchasable usage right indicated by such price information,address information indicating the position for storing the rule, therule stored at the position indicated by the address information, thepublic key certificate, and the signature.

And, the rule is constituted by a rule number added as a referencenumber for each usage right, the amount of benefits of the serviceprovider, the rate of benefits of the service provider, a price, a datasize, and sending information.

Also, in the data of price information for the album contents (FIG. 38)are stored a data type, the type of price information, the expirationdate of the price information, the ID of the album, the ID of theservice provider, the ID of the price information, the version of theprice information, an area code, usable apparatus conditions, usableUser conditions, the ID of the content provider, the ID of the handlingpolicy to which such price information is added, the number of priceinformation of the single contents constituting the album, addressinformation indicating the position for storing the price information ofthe single contents, a data packet of the price information of thesingle contents stored at the position indicated by such addressinformation, the number of rules including purchasable usage rightindicated by such price information, address information indicating theposition for storing the rule, the rule stored at the position indicatedby such address information, the public key certificate, and thesignature.

And, the rule is constituted by a rule number added as a referencenumber for each usage right, the amount of benefits of the serviceprovider, the rate of benefits of the service provider, a price, a datasize, and sending information, as in the case of the rule of the priceinformation for the single contents.

In the price information, the data type shows that the data is data ofthe price information, the type of the price information shows that suchprice information is price information of the single or album contents.The expiration of the price information indicates the time period overwhich the price information is used, by a date on which the time periodends, or by the number of consecutive days between the specified datewhen starting to use the price information and the date when theexpiration date is reached. The ID of the contents and the ID of thealbum show the purchasable single contents and album contents indicatedby the price information, and the ID of the service provider representsthe ID of the service provider 3 that has created the price information.

Also, the ID of the price information is for identifying such priceinformation, and is used for identifying the price information, forexample when a plurality of price information is defined for the samecontents, and so on. The version of the price information shows therevision information of price information revised in accordance with theperiod over which the price information is used. Thus, price informationis managed using the ID of the price information and the version of theprice information.

The area code indicates areas where the price information can be used bycoding them, and to such a code may be assigned a code indicatingspecific areas, which defines areas where the price information can beused, and a code allowing the price information to be used in all areas.The usable apparatus condition represents conditions of apparatusescapable of using the price information, and the usable User conditionrepresents conditions of the user capable of using the priceinformation. The ID of the content provider represents ID of the contentprovider 2 that has defined the handling policy to which the priceinformation is added. The ID of the handling policy is for identifyingthe handling policy to which the price information is added.

Furthermore, the signature is added to the handling policy from whichthe signature is removed, that is entire range of from the data type tothe public key certificate. The algorithm and the parameter used whenthe signature is created and the key for use in verification of thesignature are included in the public key certificate.

Also, as for the rule number, in the rule, the rule number of the ruleindicated by the corresponding handling policy is used directly. Theamount and rate of benefits of the service provider represent the amountof benefits and the rate of benefits to the price, which the serviceprovider 3 can obtain when the single contents and album contents arepurchased, and the price represents the selling price of the singlecontents and album contents defined by the service provider 3 based onthe usage right contents and the corresponding minimum selling price.The data size represents a data size of sending information, and suchsending information is constituted by points to be added to the userfrom the purchase of usage right, defined by the service provider 3,mile information consisting of discounts appropriate to such points, andvarious kinds of information defined by the service provider 3 asnecessary.

Here, when generating price information, the service provider 3 candefine all purchasable usage rights indicated by the correspondinghandling policy as the purchasable usage right indicated by such priceinformation, and also define usage right selected optionally from allpurchasable usage rights indicated by the handling policy as thepurchasable usage right indicated by the price information, and canselect the usage right defined by the content provider 2.

Also, in the price information of the album contents, a plurality ofrules define selling prices appropriate to purchase patterns of albumcontents. Also, the rule of the price information of single contentsthat can be sold as single music, of price information of a plurality ofsingle contents stored in the price information of the album contents,defines selling prices of single contents that can be sold as suchsingle music.

Thus, in the price information of the album contents, adaptation is madeso that the selling price of the album and the selling price of thesingle contents that can be purchased as single music can be recognizedwith such single price information.

Also, in the price information of the album contents, the signature isadded to the whole, whereby a tamper check for the price information ofeach single contents together with the price information of the albumcontents, and so on can be performed only by verifying the signature,without verifying one by one the signature of the single contents storedin this price information, thus making it possible to simplify theverification of the signature.

In this connection, in the price information of the single and thealbum, presence or absence of verification of the signature for thecontents may be stored as in the case of the handling policy describedin terms of FIG. 33 and FIG. 34. Also, in the price information of thealbum contents, the price information of plurality of single contentsconstituting the album is stored, but the price information of theplurality of single contents is not necessarily stored.

Furthermore, in the price information of the single and album contents,since the amount and rate of benefits of the service provider may bemanaged together by the electronic distribution service center 1, theamount and rate of benefits of the service provider may be removed tomake a configuration, as shown in FIG. 39 and FIG. 40.

FIG. 41 shows a data format of license condition information, and suchlicense condition information is created based on the handling policy ofthe purchased contents when the user purchases the contents, in theapparatus of the user home network 5, and represents the usage rightcontents selected by the user of usage right contents indicated by thishandling policy.

In the data of the license condition information are stored a data type,the type of license condition information, the expiration date of thelicense condition information, the ID of the contents, the ID of thealbum, the ID of the cipher processing portion, the ID of the user, theID of the content provider, the ID of the handling policy, the versionof the handling policy, the ID of the service provider, the ID of priceinformation, the version of the price information, the ID of the licensecondition information, a rule number added to playback right (usageright) as a reference number, a usage right content number, the numberof remaining playbacks, the expiration date of the playback right, arule number added to replication right (usage right) as a referencenumber, a usage right content number, the number of remainingreplications, generation management information, and the ID of thecipher processing portion retaining the playback right.

In the license condition information, the data type shows that this datais data of the license condition information, and the type of thelicense condition information shows which license condition informationof single contents or album contents such license condition informationis. The expiration date of the license condition information shows theperiod over which such license condition information is used, by a dateon which the time period ends, or by the number of consecutive daysbetween the specified date when starting to use the license conditioninformation and the date when the expiration date is reached.

The ID showing the purchased single contents for the ID of the contents,and for the ID of the album, the ID indicating the album is describedonly when the album is purchased. In fact, in the case where contentsare purchased as a single, the ID indicating the purchased singlecontents is described only for the ID of the contents, and in the casewhere the contents are purchased as an album, the IDs of all singlecontents constituting the purchased album are described for the ID ofthe contents, and the ID indicating the purchased album is described forthe ID of the album. Thus, if seeing the ID of the album, whether thepurchased contents are a single or an album can be determined easily.

The ID of the cipher processing portion indicates the cipher processingportion of the apparatus in the user home network 5 that has performedpurchase processing of content. The ID of the user indicates a pluralityof users sharing the apparatus when a plurality of users shares theapparatus in the user home network 5 that has purchased the contents.

Also, the ID of the content provider represents the ID of the contentprovider 2 that has defined the handling policy used for creatinglicense condition information, and the ID of the handling policyindicates the handling policy used for creating such license conditioninformation. The version of the handling policy indicates revisioninformation of the handling policy used for creating the licensecondition information. The ID of the service provider represents the IDof the service provider 3 that has created price information used forcreating the license condition information. The ID of the priceinformation indicates price information used for creating such licensecondition information. The version of the price information indicatesrevision information of the handling policy used for creating thelicense condition information. Thus, by the ID of the content provider,the ID of the handling policy, the version of the handling policy, theID of the service provider, the ID of price information and the versionof price information, the content provider 2 or the service provider 3that has provided the content purchased by the user can be known.

The ID of license condition information is an ID that the cipherprocessing portion of the apparatus in the user home network 5 adds, andis used for identifying such license condition information. The rulenumber of playback right represents a reference number added to theplayback right out of usage right, for which the rule number of the ruleindicated by the corresponding handling policy and price information isused directly. The usage right contents represent the contents ofplayback right described later. The number of remaining playbacksrepresents the number of remaining playbacks out of the number ofplaybacks defined in advance for the purchased contents, and theexpiration date of playback right indicates the period over which thepurchased contents can be played back, with the date when the periodends, and so on.

Also, the rule number of replication right represents a reference numberadded to the replication right out of usage right, for which the rulenumber of the rule indicated by the corresponding handling policy andprice information is used directly. The usage right contents representthe contents of replication right described later. The number ofremaining replications represents the number of remaining replicationsout of the number of replications defined in advance for the purchasedcontents.

Furthermore, the generation management information indicates the numberof instances where contents can be repurchased when the contents arerepurchased. The ID of the cipher processing portion possessing playbackright indicates the cipher processing portion possessing playback rightat this point in time, and the ID of the cipher processing portionpossessing the playback right is changed when management transfer isperformed.

In this connection, in the license condition information, the expirationdate may be defined for replication right, and in the case where theexpiration date is defined, the period over which the purchased contentscan be replicated is indicated with the date when the period ends, andso on.

FIG. 42 shows accounting information, and such accounting information isgenerated by the apparatus in the user home network 5, based on thehandling policy and price information corresponding to the contents,when the contents are purchased.

In the data of accounting information are stored a data type, the ID ofthe cipher processing portion, the ID of the user, the ID of thecontents, the ID of the content provider, the ID of the handling policy,the version of the handling policy, the ID of the service provider, theID of price information, the version of the price information, the ID ofthe license condition information, a rule number, the amount and rate ofbenefits of the content provider 2, the amount and rate of benefits ofthe service provider, generation management information, a data size ofsending information defined by the content provider, the sendinginformation defined by the content provider, a data size of sendinginformation defined by the service provider, the sending informationdefined by the service provider, and the ID of a supplier.

In the accounting information, the data type shows that the data isaccounting information, and the ID of the cipher processing portionindicates the cipher processing portion of the apparatus that hascarried out content purchase processing to generate such accountinginformation. The ID of the user indicates a plurality of users sharingthe apparatus when the plurality of users shares the apparatus in theuser home network 5 that has purchased the contents, the ID of thecontents indicates the purchased contents (single contents or albumcontents).

Also, the ID of the content provider represents the ID of the contentprovider 2 that has defined the handling policy used for purchaseprocessing (ID of the content provider included in this handlingpolicy), the ID of the handling policy indicates the handling policyused for such purchase processing. The version of the handling policyindicates revision information of the handling policy used for purchaseprocessing. The ID of service provider represents the ID of the serviceprovider 3 that has created the price information used for purchaseprocessing (ID of the service provider included in this priceinformation), and the ID of price information indicates the priceinformation used for such purchase processing. The version of priceinformation indicates revision information of the price information usedfor purchase processing.

The ID of license condition information represents the ID of the licensecondition information created at the time of purchase processing, andthe rule number represents a rule number added as a reference number topurchased usage right. The amount and rate of benefits of contentprovider represent the amount and ratio to the sales of a dividendallocated to the content provider 2 from the purchase of the contents,and the amount and rate of benefits of the service provider representthe amount and ratio to the sales of a dividend allocated to the serviceprovider 3 from the purchase of the contents.

Furthermore, the generation management information represents thegeneration of the purchased contents. Also, for the data size of sendinginformation defined by the content provider and the sending informationdefined by the content provider are stored the data size indicated bythe handling policy used for purchase processing, and the sendinginformation itself, and for the data size of sending information definedby the service provider and the sending information defined by theservice provider are stored the data size indicated by the priceinformation used for purchase processing, and the sending informationitself. And, the ID of the supplier indicates the apparatus of thesupplier of the contents subjected to purchase processing, and this IDis accumulated each time repurchase of contents is performed.

In this connection, in the accounting information, since the amount andrate of benefits of the content provider, and the amount and rate ofbenefits of the service provider may be managed together by theelectronic distribution service center 1, the amount and rate ofbenefits of the content provider and the amount and rate of benefits ofthe service provider may be removed to make a configuration, as shown inFIG. 43.

FIG. 44 shows contents of purchasable usage right, and such usage right,if broadly classified, includes playback right, replication right, rightcontent changing right, repurchase right, additional purchase right andmanagement transfer right.

The playback right includes open-ended playback right with no limit onthe period and the number of times, playback right with limit on periodin which there is limit on the playback period, playback right withlimit on total time in which there is limit on total time of playback,and playback with limit on the number of times in which there is limiton the number of playbacks. The replication right includes open-endedreplication right without copy management information, in which there isno limit on the period, no limit on the number of times, and no copymanagement information (for example, serial copy management: SCMS),replication right with limit on the number of times and without copymanagement information, in which there is limit on the number ofreplications but there is no copy management information, replicationwith copy management information in which there is no limit on theperiod and the number of times but copy management information is addedand provided, and replication right with limit on the number of timesand copy management information in which there is limit on the number oftimes and copy management information is added and provided. In thisconnection, the replication right includes, in addition, replicationright with limit on the period in which there is limit on the periodover which replication is possible (including replication right in whichcopy management information is added, and replication right in whichsuch copy management information is not added), and replication rightwith limit on total time in which there is limit on total time ofreplication (namely, total time needed for playing back the replicatedcontents) (including replication right in which copy managementinformation is added, and replication right in which such copymanagement information is not added), and so on.

Also, the right content changing right is a right to change the contentsof usage right already purchased to other contents as described above,and the repurchase right is a right to purchase usage right separatelybased on the right purchased by another apparatus as described above.The additional purchase right is a right to purchase in addition to thecontents already purchased separately other contents of the albumincluding the contents to integrate them into an album, and themanagement transfer right is a right to transfer the purchased usageright to change the owner.

Now, specific examples of usage right contents as shown in FIG. 33 andthe like. In fact, for the data of open-ended playback right, as shownin FIG. 45 (A), information of the expiration date of the playback rightindicating the effective period of the playback right by the date onwhich the period ends, or by the number of consecutive days between thespecified day when the effective period starts and the day when theperiod ends, and so on, is stored in the region of the usage rightcontents. For the data of playback right with limit on the period, asshown in FIG. 45 (B), information of the playback right indicating theeffective period of the playback right by the date on which the periodends, or by the number of consecutive days between the specified daywhen the effective period starts and the day when the period ends, andso on, is stored in the region of the usage right contents.

For the data of playback right with limit on total time, as shown inFIG. 45 (C), information of the expiration date of the playback rightindicating the effective period of the playback right by the date onwhich the period ends, or by the number of consecutive days between thespecified day when the effective period starts and the day when theperiod ends, and so on, and information of the number of days and timeindicating limit on the total time over which playback can be performedare stored in the region of the usage right contents. For the data ofplayback right with limit on the number of times, as shown in FIG. 45(D), information of the expiration date of the playback right indicatingthe effective period of the playback right by the date on which theperiod ends, or by the number of consecutive days between the specifiedday when the effective period starts and the day when the period ends,and so on, and information of the number of playbacks indicating thenumber of instances where playback can be performed are stored in theregion of the usage right contents.

Also, for the data of open-ended replication right without copymanagement information, as shown in FIG. 45 (E), information of theexpiration date of the replication right indicating the effective periodof the replication right by the date on which the period ends, or by thenumber of consecutive days between the specified day when the effectiveperiod starts and the day when the period ends, and so on, is stored inthe region of the usage right contents. For the data of replicationright with limit on the number of times and without copy managementinformation, as shown in FIG. 45 (F), information of the expiration dateof the replication right indicating the effective period of thereplication right by the date on which the period ends, or by the numberof consecutive days between the specified day when the effective periodstarts and the day when the period ends, and so on, and information ofthe number of replications indicating the number of instances wherereplication can be performed are stored in the region of the usage rightcontents.

For the data of replication with copy management information, as shownin FIG. 45 (G), information of the expiration date of the replicationright indicating the effective period of the replication right by thedate on which the period ends, or by the number of consecutive daysbetween the specified day when the effective period starts and the daywhen the period ends, and so on, is stored in the region of the usageright contents. For the data of replication right with limit on thenumber of times and copy management information, as shown in FIG. 45(H), information of the expiration date of the replication rightindicating the effective period of the replication right by the date onwhich the period ends, or by the number of consecutive days between thespecified day when the effective period starts and the day when theperiod ends, and so on, and information of the number of instances wherereplication can be performed are stored in the region of the usage rightcontents.

Furthermore, for the data of right content changing right, as shown inFIG. 45 (I), information of the expiration date of the right contentchanging right indicating the effective period of the right contentchanging right by the date on which the period ends, or by the number ofconsecutive days between the specified day when the effective periodstarts and the day when the period ends, and so on, a former rule numberfor retrieving the usage right contents before it is changed, and a newrule number for retrieving the usage right contents after it is changedare stored in the region of the usage right contents. In thisconnection, if solely considering the replication right with limit onthe period, as the usage right contents, for: example, two or more kindsof contents exist for each usage right contents so that two or morekinds of replication rights with limit on the period depending on thedefinition of the period. Thus, since the usage right contents can behardly managed with the usage right content number alone, in the rightcontent changing right, the usage right contents are managed with therule number added for each plurality of contents.

For the data of repurchase right, as shown in FIG. 45 (J), informationof the expiration date of the repurchase right indicating the effectiveperiod of the repurchase right by the date on which the period ends, orby the number of consecutive days between the specified day when theeffective period starts and the day when the period ends, and so on, aformer rule number for retrieving the usage right contents before it ischanged, a new rule number for retrieving the usage right contents afterit is changed, and maximum distribution generation informationindicating the maximum number of instances where repurchase can beperformed are stored in the region of the usage right contents.

For the data of additional purchase right, as shown in FIG. 45 (K),information of the expiration date of the additional purchase rightindicating the effective period of the additional purchase right by thedate on which the period ends, or by the number of consecutive daysbetween the specified day when the effective period starts and the daywhen the period ends, and so on, and the minimum number of possessedcontents and the maximum number of possessed contents indicating thecontents of the single already purchased, out of a plurality of singlecontents constituting the album contents, are stored in the region ofthe usage right contents.

For the data of management transfer right, as shown in FIG. 45 (L),information of the expiration date of the management transfer rightindicating the effective period of the management transfer right by thedate on which the period ends, or by the number of consecutive daysbetween the specified day when the effective period starts and the daywhen the period ends, and so on, is stored in the region of the usageright contents.

In this connection, as the usage right contents, content purchase rightto purchase contents in accordance with a predetermined order when dataof games are divided into a plurality of contents may be defined, forexample. And, for the data of content purchase right, as shown in FIG.45 (M), information of the expiration date of the content purchase rightindicating the effective period of the content purchase right by thedate on which the period ends, or by the number of consecutive daysbetween the specified day when the effective period starts and the daywhen the period ends, and so on, the ID of the contents alreadypurchased, a former rule number for retrieving the contents of the usageright that has been already purchased, and a new rule number forretrieving the contents of the usage right contents that is newlypurchased are stored in the region of the usage right contents. In thisway, it is possible to have game programs having consecutive stories andso on purchased by the user, and upgrade the contents (game) themselves.

FIG. 46 shows a data format of the single contents, and in the data ofthe single contents are stored a data type, the type of contents, theexpiration date of the contents, the category of the contents, the ID ofthe contents, the ID of the contents provider, the cryptosystem of thecontents, the data length of the encrypted contents, the encryptedcontents, the public key certificate and the signature.

In the single contents, the data type shows that the data is data of thecontents, the type of contents shows that the contents are single. Theexpiration date of the contents indicates the period set fordistribution by the date on which the period ends, or by the number ofconsecutive days between the specified day when distribution is startedand the day when the period ends, and so on. The category of thecontents shows which category the contents belong to, such as musicdata, program data, image data, and the ID of the contents is foridentifying these single contents.

The ID of the content provider represents the ID of the content provider2 possessing these single contents. The cryptosystem of contentsrepresents a cryptosystem for use in encryption of contents (forexample, DES). The signature is added to the data of the single contentsfrom which the signature is removed, namely entire range of from thedata type to the public key certificate. The algorithm and the parameterused when the signature is created, and the key for use in verificationof the signature are included in the public key certificate.

Also, FIG. 47 shows a data format of the album contents, and in the dataof the album contents are stored a data type, the type of contents, theexpiration date of the contents, the ID of the album, the ID of thecontent provider, the number of single contents, address information ofthe single contents, the single contents, the public key certificate andthe signature.

In this album contents, the data type shows that the data is data of thecontents, and the type of the content shows that the contents are analbum. The expiration date of the contents indicates the period set fordistribution of the contents by the date on which the period ends, or bythe number of consecutive days between the specified day whendistribution is started and the day when the period ends, and so on, andthe ID of the album is for identifying this album contents.

The ID of the content provider represents the ID of the content provider2 possessing this album contents. The number of single contentsrepresents the number of single contents constituting the album, theaddress information of the single contents indicates the position forstoring the single contents constituting the album, and the singlecontents are a data packet of a plurality of single contentsconstituting this album, which is actually stored at the positionindicated by the address information. Also, the signature is added tothe entire data of the album contents from the data type to the publickey certificate except for the signature. The algorithm and theparameter used when the signature is created, and the key for use inverification of the signature are included in the public keycertificate.

And, in the album contents, the signature is added to the whole, wherebya tamper check for each single contents together with these albumcontents, and so on can be performed only by verifying the signature,without verifying one by one the signature of the single contents storedin this album contents, thus making it possible to simplify theverification of the signature.

FIG. 48 shows a data format of the key for the single contents, and inthe key data for the single contents are a data type, the type of keydata, the expiration date of the key, the ID of the contents, the ID ofthe content provider, the version of the key, the cryptosystem of thecontent key K_(co), the encrypted content key K_(co), the cryptosystemof the individual key K_(i), the encrypted individual key K_(i), thepublic key certificate, and the signature.

In the key data for the single contents, the data type shows that thisdata is data of the key, the type of key data shows that the key data isfor the single contents. The expiration date of the key indicates theperiod of use of the key shown in the key data (content key K_(co) andindividual key K_(i)) by the date on which the period ends, or by thenumber of days between the specified day when using the key and the daywhen the period ends, and so on, and the ID of the contents indicatesthe single contents which is encrypted with the content key K_(co). TheID of the content provider represents the ID of the content provider 2that possesses the contents and has generated the content key K_(co).

The version of the key indicates revision information of the key(content key K_(co) and individual key K_(i)) revised in accordance withthe period of use. The cryptosystem of the content key K_(co) representsa cryptosystem in the case of encrypting the content key K_(co) usingthe individual key K_(i) (for example, DES), and the encrypted contentkey K_(co) represents the content key K_(co) encrypted by means of thecryptosystem using the individual key K_(i). The cryptosystem of theindividual key K_(i) represents a cryptosystem in the case of encryptingthe individual key K_(i) using the distribution key K_(d) (for example,Triple-DES-CBC), the encrypted individual key K_(i) represents theindividual key K_(i) encrypted by means of the cryptosystem using thedistribution key K_(d). The signature is added to the data of the singlecontents from which the signature is removed, namely entire range offrom the data type to the public key certificate. The algorithm and theparameter used when the signature is created, and the key for use inverification of the signature are included in the public keycertificate.

Here, the distribution key K_(d) and the individual key K_(i) aredistributed always in combination by key data for the single contentsfrom the content provider 2. And, in the key data for the singlecontents, one signature is added to the entire data. Thus, at theapparatus receiving the key data for the single contents, there is noneed to verify the signature separately for the encrypted content keyK_(co) and the encrypted individual key K_(i), and verification of onlyone signature of the key data for the single contents results inverification of the signature for the encrypted content key K_(co) andthe encrypted individual key K_(i), thus making it possible to simplifythe verification of the signature for the encrypted content key K_(co)and encrypted individual key K_(i).

In this connection, the individual key K_(i) is encrypted together withthe ID of the content provider encrypting the content key K_(co) usingthe individual key K_(i). In practice, a method in which the individualkey K_(i) is encrypted together with the ID of the content provider bymeans of a cryptosystem called a Triple-DES-CBC mode will be describedusing FIG. 49. That is, in such a cryptosystem, a predetermined initialvalue and the individual key K_(i) (64 bits) are connected to each otherand are then encrypted with the cryptosystem by the Triple-DES-CBC modeusing the distribution key K_(d), and a first value of 64 bits obtainedas a result is connected to the ID of the content provider (64 bits) andis then encrypted again with the cryptosystem by the Triple-DES-CBC modeusing the distribution key K_(d), thus obtaining a second value of 64bits. And, in such a cryptosystem, data of 16 bytes with the first valueand the second value connected to each other is the encrypted individualkey K_(i) to be stored in the key data for the single contents (In thiscase, the first value is equal to the earlier 64 bit data of theencrypted individual key K_(i) to be stored in the key data for thesingle contents, and the second value is the 64 bit data following thefirst value in the encrypted key K_(i) to be stored in the key data forthe single contents).

Also, FIG. 50 shows key data for the album contents, and in the key datafor the album contents are stored a data type, the type of key data, theexpiration date of the key, the ID of the album, the ID of the contentprovider, the version of the key, the number of data for the singlecontents for use in encryption of single contents constituting thealbum, address information indicating the position for storing the keydata, a key data packet stored at the position indicated by the addressinformation, the public key certificate and the signature.

In the key data of the album contents, the data type shows that thisdata is data of the key, and the type of key data shows that the keydata is for the album contents. The expiration date of the key indicatesthe period of use of the key (content key K_(co)) shown in the key databy the date on which the period ends, or by the number of days betweenthe specified day when starting to use the key and the day when theperiod ends, and so on, and the ID of the album indicates the albumcontents consisting of single contents that are encrypted with thecontent key K_(co). The ID of the content provider represents the ID ofthe content provider 2 encrypting the album contents.

The version of the key indicates revision information of the revised key(content key K_(co)) in accordance with the period of use. The signatureis added to the key data for the single contents from which thesignature is removed, namely the entire range of from the data type tothe public key certificate. The algorithm and the parameter used whenthe signature is created, and the key for use in verification of thesignature are included in the public key certificate.

And, in the key data for the album contents, the signature is added tothe whole, whereby a tamper check for key data for each single contentstogether with key data for the album contents can be performed only byverifying the signature, without verifying one by one the signature ofthe key data for a plurality of single contents stored in the key datafor the album contents, thus making it possible to simplify theverification of the signature.

FIG. 51 explains operations of cross authentication between the cipherprocessing portion 65 and the extending portion 66, using a common keycipher that is DES with a single common key. In FIG. 51, assuming that Ais the extending portion 66 and B is the cipher processing portion 65,the cipher processing portion 65 generates a 64 bit random number R_(B),and sends R_(B) and ID_(B) that is its own ID to the extending portion66 via the host controller 62. The extending portion 66, which receivesthem, newly generates a 64 bit random number R_(A), encrypts R_(A),R_(B) and ID_(B) with the DES-CBC mode using the key K_(AB), and sendsback the same to the cipher processing portion 65 via the hostcontroller 62.

The DES-CBC mode is a technique by which output and input being the lastbut one is subjected to exclusive disjunction, and is then encrypted. Ifapplied to this example, the following equations hold, and outputs areX, Y and Z.X=DES(K _(AB) , R _(A) +IV) IV=initial value, +:exclusive disjunctionY=DES(K _(AB) , R _(B) +X)Z=DES(K _(AB) , ID _(B) +Y)In these equations, DES (K_(AB), R_(A)+IV) represents data R_(A)+IVbeing encrypted with DES using the key K_(AB), DES (K_(AB), R_(B)+X)represents data R_(B)+X being encrypted with DES using the key K_(AB),and DES (K_(AB), ID_(B)+Y) represents data ID_(B)+Y being encrypted withDES using the key K_(AB).

The cipher processing portion 65, which receives this, decrypts thereceived data with the key K_(AB), and examines whether R_(B) and ID_(B)match those sent by the cipher processing portion 65. In the case ofpassing the examination, the extending portion 66 is authenticated as acorrect one. Then, the session key (refers to the temporary keyK_(temp), and is generated with a random number) SK_(AB) is generated,and R_(B), R_(A) and SK_(AB) are encrypted with the DES-CBC mode usingthe key K_(AB), and are sent to the extending portion 66 via the hostcontroller 62. The extending portion 66, which receives this, decryptsthe received data with the key K_(AB), and examines whether R_(B) andR_(A) match those sent by the extending portion 66. In the case ofpassing this examination, the cipher processing portion 65 isauthenticated as correct one, and the data SK_(AB) is used as a sessionkey in following communications. Furthermore, in the case where a fraudor mismatch is found when the received data is examined, processing issuspended considering that the cross authentication is unsuccessful.

FIG. 52 explains operations of cross authentication between the crossauthentication module 95 in the cipher processing portion 65 of the homeserver 51 and an authentication module (not shown) in the cipherprocessing portion 73 of the stationary apparatus 52, using an ellipticcurve cipher of 160 bit length, which is a public key cipher. In FIG.52, assuming that A is the cipher processing portion 73 and B is thecipher processing portion 65, the cipher processing portion 65 generatesthe 64 bit random number R_(B) and sends the random number to thestationary apparatus 52 via the host controller 62 and the communicationportion 61. The stationary apparatus 52, which receives this, newlygenerates the 64 bit random number R_(A) and a random number A_(K) thatis smaller than the characteristic number p. And, the cipher processingportion 65 determines a point A_(V) with a base point G being multipliedby A_(K), connects R_(A), R_(B) and A_(V) (X and Y coordinates) (64bits+64 bits+160 bits+160 bits, resulting in 448 bits), and generates,for the data, signature data A.Sig with its own secret key. Furthermore,scalar multiplication of the base point is same as that described forgeneration of the signature in FIG. 10, and description thereof is thusomitted. Connection of data is as follows, for example. It refers to 32bit data in which upper 16 bit data is A and lower 16 bit data is B whenthe 16 bit data A and the 16 bit data B are connected with each other.For generation of the signature, a method same as that described for thegeneration of the signature in FIG. 10 is used, and description thereofis thus omitted.

Then, the cipher processing portion 73 passes R_(A), R_(B), A_(V) andsignature data A.Sig to the host controller 72, and the host controller72 adds thereto the public key certificate (stored in the small capacitystoring portion 75) for the stationary apparatus 52, and sends the sameto the home server 51 via the communicating portion 71. The public keycertificate has been described with reference to FIG. 32, and detailsthereof are thus omitted. The home server 51, which receives this,verifies the signature of the public key certificate of the stationaryapparatus 52 at the cipher processing portion 65. For verification ofthe signature, a method same as that described for the verification ofthe signature in FIG. 11 is used, and description thereof is thusomitted. Then, whether the random number R_(B), out of data sent, issame as that sent by the cipher processing portion 65 is examined, andif same, the signature data A.Sig is verified. When the verification issuccessful, the cipher processing portion 65 authenticates the cipherprocessing portion 73. Furthermore, for verification, a method same asthat described for the verification of the signature in FIG. 11 is used,and description thereof is thus omitted. And, the cipher processingportion 65 generates the random number B_(X) that is smaller than thecharacteristic number p, determines a point B_(V) with the base point Gbeing multiplied by B_(K), connects R_(B), R_(A) and B_(V) (X and Ycoordinates), and generates signature data B. Sig with its own secretkey for the data. Finally, the cipher processing portion 65 passesR_(B), R_(A), B_(V) and the signature data B. Sig to the host controller62, and the host controller 62 adds thereto the public key certificatefor the home server 51 (stored in the large capacity storing portion 68)and sends the same to the stationary apparatus 52 via the communicatingportion 61.

The stationary apparatus 52, which receives this, verifies the publickey certificate of the home server 51 at the cipher processing portion73. Then, whether the random number R_(A), out of data sent, is same asthat sent by the cipher processing portion 73 is examined, and if same,the signature data B. Sig is verified. When the verification issuccessful, the cipher processing portion 73 authenticates the cipherprocessing portion 65.

In the case where both parties succeed in authentication, the cipherprocessing portion 65 calculates B_(K) A_(V) (Although B_(K) is a randomnumber, calculation of scalar multiplication on the elliptic curve isnecessary because A_(V) is a point on the elliptic curve), the cipherprocessing portion 73 calculates A_(K) B_(V), and the lower 64 bits of Xcoordinate of these points are used as the session key (temporary keyK_(temp)) in following communications (in the case where the common keycipher is considered as the common key cipher of 64 bit length). In thisconnection, for the session key for use in communication, not only thelower 64 bits of the X coordinate, but also the lower 64 bits of the Ycoordinate may be used. Furthermore, in secret communication after crossauthentication, there may be cases where data is not just encrypted withthe temporary key K_(temp), but the signature is added to the encrypteddata.

In the case where a fraud or mismatch is found when the signature isverified and the received data is verified, processing is suspendedconsidering that the cross authentication is unsuccessful.

FIG. 53 explains operations when a settlement-capable apparatus in theuser home network 5 sends accounting information to the electronicdistribution service center 1. The settlement-capable apparatus in theuser home network 5 retrieves from registration information a targetapparatus for which proxy settlement should be performed, performs crossauthentication, and encrypts accounting information with the sharedtemporary key K_(temp) (This key is different each time crossauthentication is performed) to has the accounting information sent (Atthis time, the signature is added to the data). After processing iscompleted for all apparatuses, cross authentication with the electronicdistribution service center 1 is performed, all the accountinginformation is encrypted with the shared temporary key, signature datais added to them, and they are sent to the electronic distributionservice center 1, together with registration information, and thehandling policy and price information as required. Furthermore, sinceinformation necessary for distribution of money such as the ID of thehandling policy and the ID of price information is included in theaccounting information which is sent from the user home network 5 to theelectronic distribution service center 1, the handling policy and priceinformation with large amounts of information are not necessarily sent.The user managing portion 18 receives this. The user managing portion 18verifies signature data for the received accounting information,registration information, handling policy and price information. Forverification of the signature, a method same as that described for thegeneration of the signature in FIG. 11 is used, and detailed descriptionthereof is thus omitted. Then, the user managing portion 18 decrypts theaccounting information with the temporary key K_(temp) shared at thetime of cross authentication, sends the same to the background datamanaging portion 15 together with the handling policy and priceinformation.

In this connection, in this embodiment, data to be sent after crossauthentication is encrypted by the temporary key K_(temp) as necessary.In the case of the content key K_(co) and the distribution key K_(d),for example, data may be used illegally if the their contents areviewed, and it is thus necessary to perform encryption with thetemporary key K_(temp) to prevent viewing from the outside. In contrastto this, in the case of accounting information and license conditioninformation, since data cannot be used illegally even if their contentsare viewed, encryption with the temporary key K_(temp) is notnecessarily performed, but if the money amount of accounting informationis tempered and the usage condition of license condition information istampered so that it is loosened, parties involved in acceptance of moneywill suffer a loss. Therefore, accounting information and licensecondition information are sent with the signature added thereto, therebypreventing tampering. However, the signature may also be added when thecontent key K_(co) and the distribution key K_(d) are sent.

And, at a sending end, the signature is generated for data to be sent orfor data with the data to be sent encrypted with the temporary keyK_(temp), and the data and the signature are sent. At the receiving end,data is obtained by verifying the signature in the case where the sentdata is not encrypted with the temporary key K_(temp), or data isobtained by decrypting the data with the temporary key K_(temp) afterverifying the signature in the case where the sent data is encryptedwith the temporary key K_(temp). In this embodiment, for data that issent after cross authentication, signature and encryption with thetemporary key K_(temp) as necessary may be performed according to theabove method.

The user managing portion 18 receives the distribution key K_(d) fromthe key server 14, encrypts this with the shared temporary key K_(temp)and adds signature data thereto, creates registration information fromthe user registration database, and sends the distribution key K_(d)encrypted with the temporary key K_(temp), the signature data and theregistration information to the settlement-capable apparatus in the userhome network 5. A method of creating registration information is same asthat described with reference to FIG. 8, and detailed descriptionthereof is thus omitted.

When settlement is performed, the account charging portion 19 receivesaccounting information, the handling policy as necessary and priceinformation from the background data managing portion 15, calculates anamount to be demanded from the user, and sends charging information tothe banking portion 20. The banking portion 20 communicates with a bankand the like, and carries out settlement processing. At this time, ifthere is information of user's accounts payable, such information issent to the account charging portion 19 and the user managing portion 18in the form of settlement reports, is incorporated in the userregistration database, and is referred to during user registrationprocessing or settlement processing.

The settlement-capable apparatus in the user home network 5, whichreceives the distribution key K_(d) encrypted with the temporary keyK_(temp), the signature data and the registration information updatesstored registration information and examines the registrationinformation, and if it is registered, the apparatus authenticates thesignature data, and then decrypts the distribution key K_(d) with thetemporary key K_(temp), updates the distribution key K_(d) stored in thememory module in the cipher processing portion, and deletes the accountinformation in the memory module. Next, the settlement-capable apparatusretrieves object apparatuses for which proxy settlement should beperformed from the registration information, performscross-authentication for each apparatus found by such retrieval,encrypts the distribution key K_(d) read from the memory module of thecipher processing portion with the temporary key K_(temp) different foreach apparatus found by the retrieval, and adds the signature for eachapparatus and sends the same to each apparatus together with theregistration information. Processing is ended when all the objectapparatuses for which proxy settlement should be performed are finished.

The object apparatus, which receives these data, examines theregistration information as in the case of the settlement-capableapparatus, and authenticates the signature data, followed by decryptingthe distribution key K_(d) with the temporary key K_(temp), updating thedistribution key K_(d) in the memory module and deleting the accountinginformation.

Furthermore, for apparatuses whose registration items of registrationinformation are identified as “registration impossible”, update of thedistribution key K_(d) and deletion of account information are notcarried out because accounting has not been performed (for contents ofregistration items, there may be a various kinds of cases such as stopof all processes including use, stop of purchase processing, states ofprocessing normally performed and the like).

FIG. 54 explains operations of benefit distribution processing of theelectronic distribution service center 1. The background data managingportion 15 retains and manages the accounting information, and thehandling policy and the price information as required, which have beensent from the user managing portion 18. The benefit distributing portion16 calculates the benefit of each of the content provider 2, the serviceprovider 3 and the electronic distribution service center 1 from theaccounting information, and the handling policy and the priceinformation as required, which have been sent from the background datamanaging portion 15, and sends results thereof to the service providermanaging portion 11, the content provider managing portion 12 and thebanking portion 20. The banking portion 20 communicates with a bank andthe like to perform settlement. The service provider managing portion 11sends to the service provider 2 the distribution information receivedfrom the benefit distribution portion 16. The content provider managingportion 12 sends to the content provider 3 the distribution informationreceived from the benefit distributing portion 16.

The auditing portion 21 receives the accounting information, thehandling policy and the price information from the background datamanaging portion 15, and audits that data is not inconsistent. Forexample, it audits that the price in the accounting information isconsistent with the data of the price information, distribution ratesare consistent, and so on, and audits that the handling policy is notinconsistent with the price information. Also, processing by theauditing portion 21 includes processing of auditing consistence of theamount of money added from the user home network 5 with the total amountof money distributed as benefits or the amount of money sent to theservice provider 3, and processing of making audit on whether or not IDsof the content provider and service provider that can not exist, andunconceivable earnings, prices and the like are included in the data ofthe accounting information supplied from the apparatus in the user homenetwork 5.

FIG. 55 explains operations of processing, of the electronicdistribution service center 1, for sending a usage record of contents toJASRAC. The background data managing portion 15 sends accountinginformation indicating the user's usage record of the contents to thecopyright managing portion 13 and the benefit distributing portion 16.The benefit distributing portion 16 calculates from the accountinginformation the amount of money to be demanded from JASRAC and thepayments thereof, and sends payment information to the banking portion20. The banking portion 20 communicates with a bank and the like tocarry out settlement processing. The copyright managing portion 13 sendsthe user's usage record of the contents to JASRAC.

Now, processing of the EMD system will be described. FIG. 56 is a flowchart explaining processing to distribute and play back contents by thissystem. In Step S40, the content provider managing portion 12 of theelectronic distribution service center 1 sends the individual key K_(i),the individual key K_(i) encrypted with the distribution key K_(d), andthe public key certificate of the content provider 2 to the contentprovider 2, and the content provider 2 receives them. Details about thatprocessing will be described later referring to the flow chart of FIG.57. In Step S41, the user operates the apparatus of the user homenetwork 5 (for example, the home server 51 in FIG. 15), and registersthe apparatus of the user home network 5 in the user managing portion 18of the electronic distribution service center 1. Details about thisregistration processing will be described later referring to the flowchart of FIG. 59. In step S42, the user managing portion 18 of theelectronic distribution service center 1 performs cross authenticationwith the user home network 5 as described above with reference to FIG.52, followed by sending the distribution key K_(d) to the apparatus ofthe user home network 5. The user home network 5 receives this key.Details about this processing will be described later referring to theflow chart of FIG. 62.

In Step S43, the signature generating portion 38 of the content provider2 generates the content provider secure container and sends it to theservice provider 3. Details about this processing will be describedlater referring to the flow chart of FIG. 65. In Step S44, the signaturegenerating portion 45 of the service provider 3 generates the serviceprovider secure container and sends it to the user home network 5 viathe network 4. Details about this send processing will be describedlater referring to the flow chart of FIG. 66. In Step S45, the purchasemodule 94 of the user home network 5 performs purchase processing.Details about the purchase processing will be described later referringto the flow chart of FIG. 67. In Step S46, the user plays back thecontents with the apparatus of the user home network 5. Details aboutthe playback processing will be described later referring to the flowchart of FIG. 72.

FIG. 57 is a flow chart explaining details about processing where theelectronic distribution service center 1 sends to the content provider 2the individual key K_(i), the individual key K_(i) encrypted with thedistribution key K_(d) and the public key certificate, and the contentprovider 2 receives them. In Step S50, the cross authenticating portion17 of the electronic distribution service center 1 performs crossauthentication with the cross authenticating portion 39 of the contentprovider 2. This cross authentication processing has been described withreference to FIG. 52, and detailed description thereof is thus omitted.When the content provider 2 is identified as a correct provider throughthe cross authentication processing, the content provider 2 receives theindividual key K_(i), the individual key K_(i) encrypted with thedistribution key K_(d) and the certificate sent from the contentprovider managing portion 12 of the electronic distribution servicecenter 1, in Step S51. In Step S52, the content provider 2 stores thereceived individual key K_(i) in the tamper resistant memory 40A, andstores the individual key K_(i) encrypted with the distribution keyK_(d) and the certificate in the memory 40B.

In this way, the content provider 2 receives the individual key K_(i),the individual key K_(i) encrypted with the distribution key K_(d) andthe certificate from the electronic distribution service center 1. In asimilar way, in the case of performing processing of the flow chartshown in FIG. 56, the service provider 3, in addition to the contentprovider 2, also receives the individual key K_(i) (different from theindividual key K_(i) of the content provider 2), the individual keyK_(i) encrypted with the distribution key K_(d) and the certificate fromthe electronic distribution service center using processes as in thecase of FIG. 57.

Furthermore, the memory 40A retains the individual key K_(i) that thecontent provider 2 must retain in secrecy, and thus it is desirably thetamper resistant memory in which data is not easily read out by a thirdparty, but a particular limitation in terms of hardware is not required(For example, it may be a hard disk placed in an entrance-controlledroom or a hard disk of a password-controlled personal computer). Also,the memory 40B stores therein only the individual key K_(i) encryptedwith the distribution key K_(d), and the certificate of the contentprovider 2, and thus may be a normal memory and the like (notnecessarily kept secret). Also, the memories 40A and 40B may beintegrated into one memory.

FIG. 58 is a flow chart explaining processing where the home server 51registers settlement information in the user managing portion 18 of theelectronic distribution service center 1. In Step S60, the home server51 performs cross authentication of the public key certificate stored inthe large capacity storing portion 68 with the cross authenticatingportion 17 of the electronic distribution service center 1, using thecross authentication module 95 of the cipher processing portion 65. Thisauthentication processing is similar to that described referring to FIG.52, and description thereof is thus omitted. The certificate which thehome server 51 sends to the user managing portion 18 of the electronicdistribution service center 1, in Step S60, includes the data shown inFIG. 32 (the public key certificate of the user apparatus).

In Step S61, the home server determines whether or not the registrationof personal settlement information (user's credit card number, accountnumber of a settlement entity) is new registration, and proceeds to StepS62 if determining it as new registration. In Step S 62, the user inputsthe personal settlement information using the inputting means 63. Thesedata are encrypted by the encryption unit 112 using the temporary keyK_(temp), and are sent to the user managing portion 18 of the electronicdistribution service center 1 via the communicating portion 61.

In Step S63, the user managing portion 18 of the electronic distributionservice center 1 fetches the ID of the apparatus from the receivedcertificate, and retrieves the user registration database shown in FIG.7 on the basis of this ID of the apparatus. In Step S64, the usermanaging portion 18 of the electronic distribution service center 1determines whether or not it is possible to register the apparatushaving the received ID, and if determining that it is possible toregister the apparatus having the received ID, the user managing portion18 proceeds to Step S65 to determine whether or not the apparatus havingthe received ID is that of new registration. In Step S65, if it isdetermined that the apparatus having the received ID is that of newregistration, advancement to Step S66 is made.

In Step S66, the user managing portion 18 of the electronic distributionservice center 1 newly issues a settlement ID, decrypts the settlementinformation encrypted with the temporary key K_(temp), registers thesettlement ID and the settlement information in the settlementinformation database storing the apparatus ID, the settlement ID, thesettlement information (account number, credit card number, and thelike), the transaction suspension information and so on with thesettlement ID and the settlement information being made to correspond tothe ID of the apparatus, and registers the settlement ID in the userregistration database. In Step 67, the registration information iscreated based on the data registered in the user registration database.This registration information has been described with reference to FIG.8, detailed description thereof is thus omitted.

In Step S68, the user managing portion 18 of the electronic distributionservice center 1 sends the created registration information to the homeserver 51. In Step S69, the host controller 62 of the home server 51stores the received registration information in the large capacitystoring portion 68.

In Step S61, if it is determined that the registration of the settlementinformation is update registration, procedures continue to Step S70, andthe user inputs personal settlement information using the inputtingmeans 63. These data are encrypted by the encryption unit 112 using thetemporary key K_(temp), and are sent to the user managing portion 18 ofthe electronic distribution service center 1 via the communicatingportion 61, along with the registration information already issuedduring settlement registration.

In Step S64, if it is determined that it is not possible to register theapparatus having the received ID, advancement to Step S71 is made, andthe user managing portion 18 of the electronic distribution servicecenter 1 creates registration information of refused registration, andproceeds to Step S68.

In Step S65, if it is determine that the apparatus having the receivedID is not that of new registration, procedures continue to Step S72, andthe user managing portion 18 of the electronic distribution servicecenter 1 decrypts the settlement information encrypted with thetemporary key and register the information in the settlement informationregistration database with the information being made to correspond tothe ID of the apparatus to update the database, and proceeds to StepS67.

In this way, the home server 51 is registered in the electronicdistribution service center 1.

FIG. 59 is a flow chart explaining processing of performing newregistration of the ID of the apparatus in the registration information.Cross authentication processing in Step S80 is similar to that describedwith reference to FIG. 52, and description thereof is thus omitted. InStep S81, description is omitted because of the similarity to Step S63in FIG. 58. Step S82 is similar to Step S64 in FIG. 58, and descriptionthereof is thus omitted. In Step S83, the user managing portion 18 ofthe electronic distribution service center 1 defines a registration itemcorresponding to the apparatus ID in the user registration database as“registration”, and registers the apparatus ID. In Step S84, the usermanaging portion 18 of the electronic distribution service center 1creates registration information as shown in FIG. 8, based on the userregistration database. Step S85 is similar to Step S68 in FIG. 58, anddescription thereof is thus omitted. Step S86 is similar to Step S69 inFIG. 58, and description thereof is thus omitted.

In Step S82, if it is determined that registration of the apparatushaving the received ID is not possible, advancement to Step S87 is made,the user managing portion 18 of the electronic distribution servicecenter 1 creates registration information of refused registration andproceeds to Step S85.

In this way, the home server 51 is registered in the electronicdistribution service center 1.

FIG. 60 is a flow chart explaining processing where another apparatus isadditionally registered via an apparatus which has been alreadyregistered. Here, a case where the home server 51 has been alreadyregistered and the stationary apparatus 52 is registered therein will beexplained. In Step S90, the home server 51 performs cross authenticationwith the stationary apparatus 52. The cross authentication processing issimilar to the processing described with reference to FIG. 52, anddescription thereof is thus omitted. In Step S91, the home server 51performs cross authentication with the electronic distribution servicecenter 1. In Step S92, the home server 51 sends to the electronicdistribution service center 1 the registration information read from thelarge capacity storing portion 68, and the certificate of the stationaryapparatus 52 obtained when performing cross authentication with thestationary apparatus 52 in Step S90. Step S93 is same as step 81 in FIG.59, and description thereof is thus omitted. Step S94 is same as step 82in FIG. 59, and description thereof is thus omitted. Step S95 is same asstep 83 in FIG. 59, and description thereof is thus omitted. In StepS96, the user managing portion 18 of the electronic distribution servicecenter 1 newly creates registration information with information of thestationary apparatus 52 added to the registration information receivedfrom the home server 51. Step S97 is same as Step S85 of FIG. 59, anddescription thereof is thus omitted. Step S98 is same as Step S86 inFIG. 59, and description thereof is thus omitted.

And, in Step S99A, the home server 51 sends the received registrationinformation to the stationary apparatus 52, and in Step S99B, thestationary apparatus 52 stores the received registration information inthe small capacity storing portion 75.

If it is determined that registration of the apparatus having thereceived ID is not possible in Step S94, advancement to Step S99 ismade, and the user managing portion 18 of the electronic distributionservice center 1 creates registration information meaning that only thestationary apparatus 52 is refused for registration (Therefore, the homeserver 51 remains registered), and proceeds to Step S97 (The home server51 succeeds in cross authentication with the electronic distributionservice center 1, which means that registration of the home server 51 ispossible).

Thus, the stationary apparatus 52 is registered additionally in theelectronic distribution service center 1 through the processingprocedure shown in FIG. 60.

Now, timing of update of registration (update of registrationinformation) performed by the registered apparatus will be described.FIG. 61 shows a processing procedure to determine based on various kindsof conditions whether or not registration information is updated, and inStep S600, the home server 51 determines whether or not predeterminedtime has passed since suction of the distribution key K_(d),registration information or accounting information by a clock (notshown) and a determining portion (not shown). If a positive result isobtained, here, it means that predetermined time has passed sincesuction of the distribution key K_(d), registration information oraccounting information, and the home server 51 proceeds to Step S607 tocarry out processing of updating the registration information. Thisprocess will be described later with reference to FIG. 62.

In contrast to this, if a negative result is obtained in Step S 600, itmeans that predetermined time has not passed since suction of thedistribution key K_(d), registration information or accountinginformation, namely the update condition of registration information issatisfied in terms of passage of time, and the home server 51 proceedsto Step S601 at this time.

In Step S601, the home server 51 determines whether or not the number oftimes contents have been purchased has reached a predetermined number.If a positive result is obtained, here, the home server 51 proceeds toStep S607 to carry out registration information update processing, andin contrast to this, if a negative result is obtained, it means that theupdate condition of registration information is not satisfied in termsof the number of times contents have been purchased, and the home server51 thus moves to the following Step S602.

In step S602, the home server 51 determines whether or not the amount ofmoney spent for purchasing the contents has reached a predeterminedamount. If a positive result is obtained, here, the home server 51proceeds to Step S607 to carry out registration information updateprocessing, and in contrast to this, if a negative result is obtained inStep S602, it means that the update condition of registrationinformation is not satisfied in terms of the amount of money spent forpurchasing the contents, and the home server 51 moves to following StepS603.

In step S603, the home server 51 determines whether or not theexpiration date of the distribution key K_(d) has been reached. As amethod for determining whether or not the expiration date of thedistribution key K_(d) has been reached, whether or not the version ofthe distribution key K_(d) of the distributed data is consistent withthe version of any one of three versions of distribution keys K_(d)stored in the memory module 92, or whether or not it is older than theversion of the latest distribution key K_(d). If the result of thiscomparison shows inconsistency, or it is older than the version of thelatest distribution key K_(d), it means that the expiration date of thedistribution key K_(d) in the memory module 92 has been reached, and thehome server 51 obtains a positive result in Step S603, and thus proceedsto Step S607 to carry out processing to update registration information.In contrast to this, if a negative result is obtained in Step S603, itmeans that the update condition of registration information is satisfiedin terms of the expiration date of the distribution key K_(d), and atthis time, the home server moves 51 to following Step S604.

In Step S604, the home server 51 determines presence or absence ofchanged network configuration such as whether or not another apparatushas been newly connected to the home server 51, or whether or notanother apparatus that had been connected has been disconnected. If apositive result is obtained, here, it means that the networkconfiguration has been changed, and at this time, the home server 51proceeds to Step S607 to carry out processing to update registrationinformation. In contrast to this, if a negative result is obtained inStep S604, it means that the update condition of registrationinformation is not satisfied in terms of network configuration, and thehome server 51 thus moves to following Step S605.

In Step S605, the home server 51 determines whether or not update ofregistration information has been requested from the user, and proceedsto Step S607 to carry out processing to update registration informationif update of registration information has been requested, and proceedsto Step S606 if update of registration information has not beenrequested.

In Step S606, the home server 51 performs update determination as inStep S600 to Step S605, in terms of other connected apparatuses, andproceeds to Step S607 to carry out processing to update registrationinformation when a result showing that update should be performed isobtained, and in contrast to this, when a result showing that updateshould be performed is not obtained, the home server 51 repeats similarprocesses from Step S600. In this way, the home server 5.1 can obtaintiming for performing processing to update registration information.Furthermore, it is also possible that the home server 51 does notexamine the update start condition of other apparatuses, but otherapparatuses examine the condition by themselves to make a request to thehome server 51 on their own.

FIG. 62 is a flow chart explaining operations in which a registeredapparatus performs update of registration (update of registrationinformation), performs settlement processing, and accepts redistributionof the distribution key K_(d). The cross authentication process in StepS100 is similar to that described with reference to FIG. 52, anddescription thereof is thus omitted. In Step S101, the home server 51encrypts the accounting information stored in the memory module 92 withthe encryption unit 112 of the cipher processing portion 96 using thetemporary key K_(temp), generates the signature with the signaturegeneration unit 114, and adds the signature thereto. And, the encryptedaccounting information and its signature, the handling policy, priceinformation and registration information stored in the large capacitystoring portion 68 are sent together to the electronic distributionservice center 1. Furthermore, at this time, the handling policy andprice information are not necessarily sent depending on a model. Forthere may be cases where the content provider 2 and the service provider3 send them in advance to the electronic distribution service center 1,or cases where necessary information out of the handling policy andprice information is included in the accounting information.

Step S102 is same as Step S81 in FIG. 59, and description thereof isthus omitted. Step S103 is same as Step S82 in FIG. 59, and descriptionthereof is thus omitted. In Step S104, the user managing portion 18 ofthe electronic distribution service center 1 verifies the signature withthe signature verification unit 115, decrypts the received accountinginformation with the temporary key K_(temp) (In the case where theelectronic signature is added to the received data, verification isperformed with the signature verification unit 115), and (if it isalready received) sends it to the background data managing portion 15along with the handling policy and accounting information. Thebackground data managing portion 15, which receives this, stores andmanages the received data.

In Step S105, the user managing portion 18 of the electronicdistribution service center 1 verifies the registration itemcorresponding to the ID of the apparatus in the user registrationdatabase, and updates the data. They are, for example, data such asregistration dates (not shown) and accounting states. Step S106 is sameas Step S84 in FIG. 59, and description thereof is thus omitted. In StepS107, the user managing portion 18 of the electronic distributionservice center 1 encrypts with the temporary key K_(temp) thedistribution key K_(d) supplied from the key server 14, and sends thesame to the home server 51 along with the registration information.

In Step S108, the home server 51 stores the received registrationinformation in the large capacity storing portion 68. In Step S109, thehome server 51 inputs the received registration information in thecipher processing portion 65, and the cipher processing portion 65verifies the electronic signature included in the registrationinformation with the signature verification unit 115, and has it checkedthat the apparatus ID of the home server 51 is registered, and when theverification is successful and it is confirmed that the accountingprocessing has been completed, advancement to Step S110 is made. In StepS110, the home server 51 inputs the received distribution key K_(d) inthe cipher processing portion 65. The cipher processing portion 65decrypts the received distribution key K_(d) with the decryption unit111 of the encryption/decryption module 96, using the temporary keyK_(temp), stores the same in the memory module 92 (updates it), anddeletes the accounting information retained in the memory module 92(This results in completion of settlement).

In Step S103, if it is determined that registration of the apparatushaving the ID received is not possible, advancement to Step S111 ismade, and the user managing portion 18 of the electronic distributionservice center 1 creates registration information of refusedregistration and proceeds to Step S112. In Step S112, unlike Step S107,only the registration information is sent to the home server 51.

In Step S109, if verification of the signature included in theregistration information is unsuccessful, or “registration possible” isnot written in the “registration item” included in the registrationinformation (For example, fail in accounting→unable to perform purchaseprocessing, refused registration→stop of functions of the cipherprocessing portion including playback, etc., a temporary halt ofexchanges→stop of purchase for some reason despite success in accountingprocessing, and the like are conceivable) advancement to Step S113 ismade to perform predetermined error handling.

In this way, the home server 51 updates registration information, andsends accounting information to the electronic distribution servicecenter 1, for which it receives the distribution key K_(d) supplied.

FIG. 63 and FIG. 64 is a flow chart explaining processing where thestationary apparatus 52 performs settlement, update of registrationinformation and update of the distribution key K_(d) through the homeserver 51. In Step S120, the cross authentication module 94 of the homeserver 51 and a cross authentication (not shown) of the stationaryapparatus perform cross authentication. A cross authentication processis similar to that described with reference to FIG. 52, and descriptionthereof is thus omitted. Furthermore, as described for crossauthentication, the home server 51 and the stationary apparatus 52exchange certificates with each other, and thus know each other'sapparatus ID. In Step S121, the host controller 62 of the home server 51reads registration information from the large capacity storing portion68, and has the information examined by the cipher processing portion65. The cipher processing portion 65, which receives the registrationinformation from the host controller 62, verifies the signature in theregistration information, determines whether there is the ID of thestationary apparatus, and proceeds to Step S122 when there is the ID ofthe stationary apparatus in the registration information.

In Step S122, whether or not the ID of the stationary apparatus 52 isregistered in the registration information is determined, and if the IDof the stationary apparatus 52 is registered, advancement to Step S123is made. In Step S123, the cipher processing portion 73 of thestationary apparatus 52 reads the accounting information stored in thememory module, and encrypts the same with the encryption unit using thetemporary key K_(temp). Also, the signature corresponding to theaccounting information is generated with the signature generation unit.Generation of the signature has been explained with reference to FIG.10, and description thereof is thus omitted. The host controller 72,which receives the accounting information encrypted with the temporarykey K_(temp) and its signature, reads the handling policy and priceinformation corresponding to the accounting information from the smallcapacity storing portion 75 as necessary, and sends to the home server51 the accounting information encrypted with the temporary key K_(temp)and its signature, and the handling policy and price informationcorresponding to the accounting information, as necessary.

The home server 51, which receives these data, stores the handlingpolicy and price information in the large capacity storing portion 68 ifreceiving them, and inputs the accounting information encrypted with thetemporary key K_(temp) and its signature in the cipher processingportion 65. The cipher processing portion 65, which receives theaccounting information encrypted with the temporary key K_(temp) and itssignature, verifies the signature for the accounting informationencrypted with the temporary key K_(temp), by the signature verificationunit 115 of the encryption/decryption module 96. Verification of thesignature is same as that described with reference to FIG. 11, detaileddescription thereof is thus omitted. And, the decryption unit 111 of theencryption/decryption module 96 decrypts the accounting informationencrypted with the temporary key K_(temp).

In Step S124, the home server 51 performs cross authentication andshares the temporary key K_(temp) 2 with the cross authenticatingportion 17 of the electronic distribution service center 1. In StepS125, the home server 51 encrypts the accounting information sent fromthe stationary apparatus 52 with the encryption unit 112 of theencryption/decryption module 96, using the temporary key K_(temp) 2. Atthis time, the accounting information of the home server 51 may also beencrypted together. Also, the signature corresponding to the accountinginformation encrypted with the temporary key K_(temp) 2 is generatedwith the signature generation unit 114 of the encryption/decryptionmodule 96. The host controller 62, which receives the accountinginformation encrypted with the temporary key K_(temp) 2 and itssignature, reads the handling policy, price information and registrationinformation corresponding to the accounting information from the largecapacity storing portion 68 as necessary, and sends the accountinginformation encrypted with the temporary key K_(temp) 2 and itssignature, and the handling policy, price information and registrationinformation corresponding to the accounting information as necessary tothe user managing portion 18 of the electronic distribution servicecenter 1.

In Step S126, the user managing portion 18 of the electronicdistribution service center 1 retrieves the user registration database.In Step S127, whether or not the home server 51 and the stationaryapparatus 52 are registered to the “registration” items in theregistration database as being registration possible is determined, andif it is determined that they are registered, advancement to Step S128is made. In Step S128, the user managing portion 18 of the electronicdistribution service center 1 verifies the signature for the accountinginformation encrypted with the temporary key K_(temp) 2, and decryptsthe accounting information with the temporary key K_(temp) 2. And, theaccounting information, and the handling policy and price information ifreceived are sent to the background data managing portion 15. Thebackground data managing portion 15, which receives the accountinginformation, and the handling policy and price information if received,manages and stores those data.

In Step S129, the user managing portion 18 of the electronicdistribution service center 1 updates the user registration database(the accounting data reception date, registration information issuancedata, distribution key issuance date and the like not shown in thefigure). In Step S130, the user managing portion 18 of the electronicdistribution service center 1 creates registration information (a caseof FIG. 18, for example). In Step S131, the user managing portion 18 ofthe electronic distribution service center 1 encrypts with the temporarykey K_(temp) 2 the distribution key K_(d) received from the key server14 of the electronic distribution service center 1, and generates thesignature for the distribution key K_(d) encrypted with the temporarykey K_(temp) 2. And, the registration information, the distribution keyK_(d) encrypted with the temporary key K_(temp) 2, and the signature forthe distribution key K_(d) encrypted with the temporary key K_(temp) 2are sent to the home server 51.

In Step S132, the home server 51 receives the registration information,the distribution key K_(d) encrypted with the temporary key K_(temp) 2,and the signature for the distribution key K_(d) encrypted with thetemporary key K_(temp) 2. The host controller 62 of the home server 51inputs the distribution key K_(d) encrypted with the temporary keyK_(temp) 2, and the signature for the distribution key K_(d) encryptedwith the temporary key K_(temp) 2 in the cipher processing portion 65.In the cipher processing portion 65, the signature verification unit 115of the encryption/decryption module 96 verifies the signature for thedistribution key K_(d) encrypted with the temporary key K_(temp) 2, andthe decryption unit 111 of the encryption/decryption module 96 decryptsthe distribution key K_(d) using the temporary key K_(temp) 2, and theencryption unit 112 of the encryption/decryption module 96 encryptsagain the decrypted distribution key K_(d), using the temporary keyK_(temp) shared with the stationary apparatus 52. Finally, the signaturegeneration unit 114 of the encryption/decryption module 96 generates thesignature corresponding to the distribution key K_(d) encrypted with thetemporary key K_(temp), and sends the distribution key K_(d) encryptedwith the temporary key K_(temp) and the signature for the distributionkey K_(d) encrypted with the temporary key K_(temp) back to the hostcontroller 62. The host controller, which receives the distribution keyK_(d) encrypted with the temporary key K_(temp) and the signature forthe distribution key K_(d) encrypted with the temporary key K_(temp),sends the same to the stationary apparatus 52 along with theregistration information sent from the electronic distribution servicecenter 1.

In Step S133, the host controller 72 of the stationary apparatus 52overwrites the received registration information and stores it in thesmall capacity storing portion 75. In Step S134, the cipher processingportion 73 of the stationary apparatus 52 verifies the signature of thereceived registration information to determine whether or not the itemfor “registration” of the ID of the stationary apparatus 52 is“registration possible”, and if it is “registration possible”,advancement to Step S135 is made. In Step S135, the host controller ofthe stationary apparatus 52 inputs in the cipher processing portion 73the distribution key K_(d) encrypted with the temporary key K_(temp) andthe signature for the distribution key K_(d) encrypted with thetemporary key K_(temp). The cipher processing portion 73 verifies thesignature for the distribution key K_(d) encrypted with the temporarykey K_(temp), decrypts the distribution key K_(d) using the temporarykey K_(temp), updates the distribution key K_(d) in the memory module ofthe cipher processing portion 73, and deletes the accounting information(Furthermore, there may be cases where the accounting information is notactually deleted, but a mark of completed settlement is simply addedthereto).

In Step S121, if the ID of the stationary apparatus 52 is not includedin the registration information, advancement to Step S136 is made,registration information addition processing is started, and advancementto Step S123 is made.

In Step S127, if the ID of the home server 51 or the ID of thestationary apparatus 52 is not “registration possible” for the“registration item” in the user registration database, advancement toStep S137 is made. Step S137 is similar to Step S130, and detaileddescription thereof is thus omitted. For Step S138, in Step S131, theuser managing portion 18 of the electronic distribution service center 1sends the registration information to the home server 51. In Step S139,the home server 51 sends the registration information to the stationaryapparatus 52.

If the “registration” item for the ID of the stationary apparatus 52 inthe registration information is not “registration possible” in StepS122, and if the “registration” item for the ID of the stationaryapparatus 52 in the registration information is not “registrationpossible” in Step S134, the processing is ended.

Furthermore, proxy processing according to this system is processing ofthe stationary apparatus 52 alone, but all the account information ofall apparatuses connected to the home server 51 and the home server 51itself may be collected to perform batch processing. And, update of theregistration information and distribution keys K_(d) of all apparatusesis performed (in this example, the received registration information anddistribution key K_(d) are not checked at all by the home server 51. Inthe case where processing of the home server 51 itself is also performedin a batch, they should be checked and updated as a matter of course).

Now, processing where the content provider 2 sends the content providersecure container to the service provider 3, which corresponds to StepS43 in FIG. 56 will be described, using a flow chart of FIG. 65. In StepS140, the electronic watermark adding portion 32 of the content provider2 inserts predetermined data indicating the content provider 2, forexample the content provider ID into the contents read from the contentserver 31 in the form of an electronic watermark, and supplies the sameto the compressing portion 33. In Step S141, the compressing portion 33of the content provider 2 compresses the contents with the electronicwatermark inserted therein with a predetermined system such as ATRAC,and supplies the same to the content encrypting portion 34. In StepS142, the content key generating portion 35 has a key for use as thecontent key K_(co) generated, and supplies the key to the contentencrypting portion 34 and the content key encrypting portion 36. In StepS143, the content encrypting portion 34 of the content provider 2encrypts the compressed contents with the electronic watermark insertedtherein, with a predetermined system such as DES, using the content keyK_(co).

In Step S144, the content key encrypting portion 36 encrypts thecontents K_(co) with the individual key K_(i) supplied from theelectronic distribution service center 1, through the process of StepS40 in FIG. 56, using a predetermined method such as DES. In Step S145,the handling policy generating portion 37 defines the handling policy ofthe contents, and generates the handling policy as shown in FIG. 33 orFIG. 34. In Step S146, the signature generating portion 38 of thecontent provider 2 generates the signature for the encrypted contents,the encrypted content key K_(co), the encrypted individual key K_(i),and the handling policy supplied from the handling policy generatingportion 37. Generation of the signature is similar to that describedreferring to FIG. 10 and description thereof is thus omitted herein. InStep S147, the content provider 2 sends to the service provider 3 theencrypted contents and the signature thereof, the encrypted content keyK_(co) and the signature thereof, the encrypted individual key K_(i) andthe signature thereof, the handling policy and the signature thereof(Hereinafter, these four data with signatures are referred to as thecontent provider secure container), and the certificate of the contentprovider 2 received in advance from the authenticator station, using asending portion not shown in the figure.

As described above, the content provider 2 sends the content providersecure container to the service provider 3.

Now, processing where the service provider 3 sends the service providersecure container to the home server 51, which corresponds to Step S44 ofFIG. 56 will be described, using a flow chart of FIG. 66. Furthermore,explanation will be presented, assuming that the service provider 3stores in advance the data sent from the content provider 2 in thecontent server 41. In Step S150, the certificate verifying portion 42 ofthe service provider 3 reads the signature of the certificate of thecontent provider 2 from the content server 41, and verifies thesignature in the certificate. Verification of the signature is similarto that described referring to FIG. 11, and detailed description thereofis thus omitted. If the certificate is not tampered, the public keyK_(pcp) of the content provider 2 is fetched.

In Step S151, the signature verifying portion 43 of the service provider3 verifies the signature of the content provider secure container sentfrom the sending portion of the content provider 2, with the public keyK_(pcp) of the content provider 2 (There may be cases where only thesignature of the handling policy is verified). If the verification ofthe signature is not successful and tampering is found, processing isended. Furthermore, the method of verification of the signature issimilar to that described referring to FIG. 11, and detailed descriptionthereof is thus omitted.

In the case where the content provider secure container is not tampered,the pricing portion 44 of the service provider 3 creates priceinformation as described with reference to FIG. 37 and FIG. 38 based onthe handling policy, in Step S152. In Step S153, the signaturegenerating portion 45 of the service provider 3 generates the signaturefor the price information, and creates the service provider securecontainer with content provider secure container, the price informationand the signature of the price information being combined together.

In Step S154, the sending portion (not shown) of the service provider 3sends the certificate of the service provider 3, the certificate of thecontent provider 2, and the service provider secure container to thecommunicating portion 61 of the home server 51.

In this way, the service provider 3 sends the service provider securecontainer to the home server 51.

Detailed purchase processing of the home server 51 after reception ofthe correct service provider secure container, which corresponds to StepS45 of FIG. 56, will be described using a flow chart of FIG. 67. In StepS161, the home server 51 performs registration information updateprocessing described above with respect to FIG. 61 and FIG. 62, and thenin Step S162, the host controller 62 of the home server 51 inputs theregistration information read from the large capacity storing portion 68of the home server 51 in the cipher processing portion 65 of the homeserver 51. The cipher processing portion 65, which receives theregistration information, verifies the signature of the registrationinformation with the signature verification unit 115 of theencryption/decryption module 96, and then determines whether the item of“purchase processing” for the ID of the home server 51 is “purchasepossible”, and examines whether the item of registration is“registration possible”, and proceeds to Step S163 if they are “purchasepossible” and “registration possible”. Furthermore, signatureverification and examination for “purchase possible” and “registrationpossible” may also be performed with the registration informationchecking module 93. In Step S163, the host controller 62 of the homeserver 51 inputs the public key certificate of the content provider 2read from the large capacity storing portion 68 of the home server 51 inthe cipher processing portion 65 of the home server 51.

The cipher processing portion, which receives the public key certificateof the content provider 2, verifies the signature of the certificate ofthe content provider 2 with the signature verification unit 115 of theencryption/decryption module 96, followed by fetching the public key ofthe content provider 2 from the public key certificate. In the casewhere it is confirmed that no tampering has been made as a result ofverification, advancement to Step S164 is made. In Step S164, the hostcontroller 62 of the home server 51 inputs the contents read from thelarge capacity storing portion 68 of the home server 51 in the cipherprocessing portion 65 of the home server 51. The cipher processingportion 65, which receives the contents, verifies the signature of thecontents with the signature verification unit 115 of theencryption/decryption module 96, and then proceeds to step S165 if it isconfirmed that no tampering has been made. In Step S165, the hostcontroller 62 of the home server 51 inputs the content key K_(co) readfrom the large capacity storing portion 68 of the home server 51 in thecipher processing portion 65 of the home server 51.

The cipher processing portion 65, which receives the content key K_(co),verifies the signature of the content key K_(co) with the signatureverification unit 115 of the encryption/decryption module 96, and thenproceeds to Step S166 if it is confirmed that no tampering has beenmade. In Step S166, the host controller 62 of the home server 51 inputsthe individual key K_(i) read from the large capacity storing portion 68of the home server 51 in the cipher processing portion 65 of the homeserver 51. The cipher processing portion 65, which receives theindividual key K_(i), verifies the signature of the individual key K_(i)with the signature verification unit 115 of the encryption/decryptionmodule 96, and the proceeds to Step S167 if it is confirmed that notampering has been made.

In Step S167, the host controller 62 of the home server 51 inputs thehandling policy read from the large capacity storing portion 68 of thehome server 51 in the cipher processing portion 65 of the home server51. The cipher processing portion 65, which receives the handlingpolicy, verifies the signature of the handling policy with the signatureverification unit 115 of the encryption/decryption module 96, and thenproceeds to Step S168 if it is confirmed that no tampering has beenmade. In Step S168, the host controller 62 of the home server 51 inputsthe public key certificate of the service provider 3 read from the largecapacity storing portion 68 of the home server 51 in the cipherprocessing portion 65 of the home server 51.

The cipher processing portion 65, which receives the public keycertificate of the service provider 3, verifies the signature of thecertificate of the service provider 3 with the signature verificationunit 115 of the encryption/decryption module 96, followed by fetchingthe public key of the service provider 3 from the public keycertificate. If it is confirmed that no tampering has been made as aresult of the verification of the signature, advancement to Step S169 ismade. In Step S169, the host controller 62 of the home server 51 inputsthe price information read from the large capacity storing portion 68 ofthe home server 51 in the cipher processing portion 65 of the homeserver 51. The cipher processing portion 65, which receives the priceinformation, verifies the signature of the price information with thesignature verification unit 115 of the encryption/decryption module 96,and then proceeds to Step S170 if it is confirmed that no tampering hasbeen made.

In Step S170, the host controller 62 of the home server 51 displaysinformation of purchasable contents (for example, purchasable usagepatterns and prices) using the displaying means 64, and the user selectspurchase items using the inputting means 63. A signal inputted from theinputting means 63 is sent to the host controller 62 of the home server51, and the host controller 62 generates a purchase command based on thesignal, and inputs the purchase command in the cipher processing portion65 of the home server 51. Furthermore, these input processing may beperformed when purchase processing is started. The cipher processingportion 65, which receives this, generates accounting information andlicense condition information from the handling policy inputted in StepS167 and the price information inputted in Step S169. The accountinginformation has been described with reference to FIG. 42, anddescription thereof is thus omitted. The license condition informationhas been described with reference to FIG. 41, and description thereof isthus omitted.

In Step S171, the controlling portion 91 of the cipher processingportion 65 stores the accounting information generated in Step S170 inthe memory module 92. In Step S172, the controlling portion 91 of thecipher processing portion 65 sends the license condition informationgenerated in Step S170 to the external memory controlling portion 97 ofthe cipher processing portion 65. The external memory controllingportion 97, which receives the license condition information makes atamper check for the external memory 67, followed by writing the licensecondition information in the external memory 67. The tamper check at thetime of writing it will be described later, using FIG. 69. In Step S173,the controlling portion 91 of the cipher processing portion 65 decryptsthe individual key K_(i) inputted in Step S166, with the decryption unit111 of the encryption/decryption module 96, using the distribution keyK_(d) supplied from the memory module 92. Then, the controlling portion91 of the cipher processing portion 65 decrypts the content key K_(co)inputted in Step S165, with decryption unit 111 of theencryption/decryption module 96, using the individual key K_(i) justdecrypted. Finally, the controlling portion 91 of the cipher processingportion 65 encrypts the content key K_(co) with the encryption unit 112of the encryption/decryption module 96, using the save key K_(save)supplied from the memory module 92. In Step S174, the content key K_(co)encrypted with the save key K_(save) is stored in the external memory 67by way of the external memory controlling portion 97 of the cipherprocessing portion 65.

If the home server 51 is determined as an apparatus incapable ofperforming purchase processing in Step S162, or if it is determined inStep S163 that the signature of the public key certificate of thecontent provider 2 is incorrect, or if it is determined in Step S164that the signature of the contents encrypted with the content key K_(co)is incorrect, or if it is determined in Step S165 that the signature ofthe content key K_(co) encrypted with the individual key K_(i) isincorrect, or if it is determined in Step S166 that the signature of theindividual key K_(i) encrypted with the distribution key K_(d) isincorrect, or if it is determined in Step S167 that the signature of thehandling policy is incorrect, or if it is determined in Step S168 thatthe signature of the certificate of the service provider 3 is incorrect,or if it is determined in Step S169 that the signature of priceinformation is incorrect, the home server 51 proceeds to Step S176 todeal with errors. In the connection, processings in Step S165 and StepS166 may be integrated to one so as to verify one signature for contentkey K_(co) and individual key K_(i).

As described above, the home server 51 stores accounting information inthe memory module 92, and decrypts the content key K_(co) with theindividual key K_(i), followed by encrypting the content key K_(co) withthe save key K_(save), and having the same stored in the external memory67.

With similar processing, the stationary apparatus 52 also storesaccounting information in the memory module of the cipher processingportion 73, decrypts the content key K_(co) with the individual keyK_(i), encrypts the content key K_(co) with the save key K_(save) 2(different from the key of the home server 51), and has the same storedin the external memory 79.

FIG. 68 is a flow chart explaining a method of checking for a tamper,which the external memory controlling portion 97 of the cipherprocessing portion 65 performs when reading data from the externalmemory 67. In step S180 of FIG. 68, the external memory controllingportion 97 of the cipher processing portion 65 retrieves a place of datato be read from the external memory 67 (for example, the first data inthe first block of FIG. 16). In Step S181, the external memorycontrolling portion 97 of the cipher processing portion 65 calculatesthe hash value for all the data in the same block including data due tobe read in the external memory 67 (the hash value for the entire firstblock of FIG. 16). At this time, data other than the data due to be read(for example, content key 1 and license condition information 1) arediscarded after they are used for calculation of the hash value. In stepS182, the hash value calculated in Step S181 is compared with the hashvalue (ICV₁) stored in the memory module 92 of the cipher processingportion 65. If they match each other, data read in Step S181 is sent tothe controlling portion 91 via the external memory controlling portion97, and if they do not match each other, the external memory controllingportion 97 proceeds to Step S183, and prohibits following read andwrite, considering that the memory block has been tampered (consideringit as a failed block). For example, when the external memory isconsidered as a flash memory of 4 MB, it is assumed that this memory isdivided into 64 blocks. Therefore, in the memory module are stored 64 ofhash values. When data is read out, first a place where data exists isretrieved and the hash value for all data including such data iscalculated. A tamper check is made based on whether or not this hashvalue matches the hash value corresponding the block in the memorymodule (See FIG. 16).

In this way, the external memory controlling portion 97 of the cipherprocessing portion 65 makes a tamper check for the external memory andreads data.

FIG. 69 is a flow chart explaining a method of checking for tamper,which is performed by the external memory controlling portion 97 of thecipher processing portion 65 when data is written in the external memory67. In Step S190A of FIG. 69, the external memory controlling portion 97of the cipher processing portion 65 retrieves a place where data can bewritten in the external memory 67. In Step S191A, the external memorycontrolling portion 97 of the cipher processing portion 65 determineswhether or not there is a free area in the external memory 67, and thenproceeds to Step S192A if determining that there is a free area. In StepS192A, the external memory controlling portion 97 of the cipherprocessing portion 65 calculates the hash value for all the data in adata block due to be written. In Step S193A, the hash value calculatedin Step S192A is compared with the hash value stored in the memorymodule 92 of the cipher processing portion 65, and if they match eachother, then advancement to Step S194A is made. In Step 5194A, data iswritten in an area projected for write operations. In Step S195A, theexternal memory controlling portion 97 of the cipher processing portion65 calculates again the hash value for all the data in the data blockthat has been written. In Step S196A, the controlling portion 91 updatesthe hash value in the memory module 92 of the cipher processing portion65 to the hash value calculated in Step S195A.

If the calculated hash value is different from the hash value in thememory module 92 in Step S193A, the controlling portion 91 defines thememory block as a failed block (for example, changes the hash value to avalue indicating a failed block) and proceeds to Step S190A.

In Step S191A, if it is determined that there is no free area in theexternal memory 67, then advancement to Step S198A is made, and in StepS198A, the external memory controlling portion 97 sends back a writeerror to the controlling portion 91 and ends processing.

For a method for rewriting (updating) in the external memory 67 of theexternal memory controlling portion 97, as shown in FIG. 70, theexternal memory controlling portion 97 of the cipher processing portion65 retrieves a place for rewriting data in the external memory in StepS190B. In Step S192B, the external memory controlling portion 97 of thecipher processing portion 65 calculates the hash value for all the datain a data block due to be rewritten. In step S193B, the hash valuecalculated in Step S192B is compared with the hash value stored in thememory module 92 of the cipher processing portion 65, and if they matcheach other, then advancement to Step S194B is made. In Step S194B, datain an area projected for rewriting operations are rewritten. In StepS195B, the external memory controlling portion 97 of the cipherprocessing portion 65 calculates again the hash value for all the datain the data block that has been written. In Step S196B, the controllingportion 91 updates the hash value in the memory module 92 of the cipherprocessing portion 65 to the hash value calculated in Step S195B.

If the calculated hash value is different from the hash value in thememory module 92 in Step S193B, the controlling portion 91 defines thememory block as a failed block (for example, changes the hash value to avalue indicating a failed block) and determines that rewrite has beenfailed.

A method for deleting data in the external memory 79 will be described,using FIG. 71. In Step S190C, the external memory controlling portion ofthe cipher processing portion 73 retrieves a location where the data inexternal memory 79 is to be deleted. In Step S 192C, the external memorycontrolling portion of the cipher processing portion 73 calculates thehash value for all the data in a data block projected for deletion ofdata. In Step S193C, the hash value calculated in Step S192C is comparedwith the hash value stored in the memory module (not shown) of thecipher processing portion 73, and if they match each other, thenadvancement to Step S194C is made. In Step S194C, data due to be deletedin an area projected for deletion is deleted. In Step S195C, theexternal memory controlling portion of the cipher processing portion 73calculates again the hash value for all the data in the data block wherethe data due to be deleted is deleted. In Step S196C, the cipherprocessing portion 73 updates the hash value in the memory module to thehash value calculated in Step S195C.

In Step S193C, if the calculated hash value is different from the hashvalue in the memory module, the cipher processing portion 73 defines thememory block as a failed block (for example, changes the hash value to avalue indicating a failed block), and determines that deletion has beenfailed.

Detailed description of processing where the home server 51 plays backthe contents, which corresponds to Step S46 of FIG. 56, will bepresented, using flow charts of FIG. 72 and FIG. 73. In step S200, thehost controller 62 of the home server 51 inputs the ID corresponding tothe contents of which playback is instructed from the inputting means 63of the home server 51 in the cipher processing portion 65 of the homeserver 51. In Step S201, the controlling portion 91 of the cipherprocessing portion 65, which receives the content ID to be played back,sends the content ID to the external memory controlling portion 97 ofthe cipher processing portion 65, and has the content key K_(co)corresponding to the content ID and license condition informationretrieved. At this time, it confirms that the license conditioninformation is a right capable of being regenerated. In Step S202, theexternal memory controlling portion 97 of the cipher processing portion65 calculates the hash value of the data block including the content keyK_(co) and the license condition information, and sends the hash valueto the controlling portion 91 of the cipher processing portion 65. InStep S203, the controlling portion 91 of the cipher processing portion65 determines whether or not the hash value stored in the memory module92 of the cipher processing portion 65 matches the hash value receivedin Step S202, and then proceeds to Step S204 if they match each other.

In Step S204, the controlling portion 91 of the cipher processingportion 65 updates the license condition information as necessary. Forexample, if usage right in the license condition information isrepresented by a coupon ticket, it is a process to subtract the numberof counts of the coupon ticket, and so on. Thus, purchased right and thelike requiring no update do not need to be updated, and in that case, ajump to Step S208 is made (not shown). In Step S205, the externalcontrolling portion 97 rewrites and updates in the external memory 67the updated license condition information sent from the controllingportion 91. In Step S206, the external memory controlling portion 97calculates the hash value for all the data in the rewritten data block,and sends the hash value to the controlling portion 91 of the cipherprocessing portion 65. In Step S207, the controlling portion 91 of thecipher processing portion 65 rewrites the hash value stored in thememory module 92 of the cipher processing portion 65 to the hash valuecalculated in Step S206.

In Step S208, the cipher processing portion 65 and the extending portion66 perform cross authentication, and share the temporary key K_(temp)The cross authentication is same as that described using FIG. 51, anddetailed description thereof is thus omitted. In Step S209, thedecryption unit 111 of the encryption/decryption module 96 decrypts thecontent key K_(co) read from the external memory 97, with the save keyK_(save) supplied from the memory module 92. In Step S210, theencryption unit 112 of the encryption/decryption module 96 encryptsagain the content key K_(co) with the temporary key K_(temp) just sharedwith the extending portion 66. In Step S211, the controlling portion 91of the cipher processing portion 65 sends the content key K_(co)encrypted with the temporary key K_(temp) to the extending portion 66via the host controller 62.

In Step S212, the key decryption module 102 of the extending portion 66decrypts the content key K_(c) with the temporary key K_(temp) suppliedfrom the cross authentication module 101. In Step S213, the hostcontroller 62 reads the contents from the large capacity storing portion68, and supplies the contents to the extending portion 66. Thedecryption module 103 of the extending portion 66, which receives thecontents, decrypts the contents using the content key K_(co) suppliedfrom the key decryption module 102. In Step S214, the extending module104 of the extending portion 66 extends the contents with apredetermined system, for example a system such as ATRAC. In Step S215,the electronic watermark addition module 105 inserts data indicated fromthe cipher processing portion 65 into the contents in the form of anelectronic watermark (Data passed from the cipher processing portion tothe extending portion include not only the content key K_(co) but alsoplayback conditions (analog output, digital output, output with copycontrolling signals (SCMS)), the ID of the apparatus that has purchasedcontent usage right, and so on. Data to be inserted is the ID of theapparatus that has purchased the content usage right (that is, theapparatus ID in the license condition information, and the like). InStep S216, the extending portion 66 plays back music via a speaker notshown in the figure.

In this way, the home server 51 plays back the contents.

FIG. 74 is a flow chart explaining a detailed process in which the homeserver 51 purchases content usage right as a proxy for the stationaryapparatus 52. In step S220, the home server 51 and the stationaryapparatus 52 perform cross authentication. Cross authenticationprocessing is similar to that described with reference to FIG. 52, anddescription thereof is thus omitted. In Step S221, the host controller62 of the home server 51 makes the cipher processing portion 65 of thehome server 51 examine the registration information read from the largecapacity storing portion 68 of the home server 51. The cipher processingportion 65, which receives the registration information from the hostcontroller 62, makes the signature authentication unit 115 of theencryption/decryption module 96 authenticate the signature added to theregistration information, with the public key of the electronicdistribution service center 1 supplied from the memory module 92 of thecipher processing portion 65. After success in authentication of thesignature, the controlling portion 91 of the cipher processing portion65 determines whether the ID of the stationary apparatus is registeredin the registration information and the items of “registration” and“purchase” are “registration possible” and “purchase possible”, and thenproceeds to Step S222 if it is “registration possible” (Furthermore, theregistration information is also examined at the stationary apparatus52, and it is determined that the home server 51 is “registrationpossible”). Step S225 to Step S227 are similar to processes of Step S160 to Step S171 of FIG. 67, and description thereof is thus omitted.

In Step S228, the controlling portion 91 of the cipher processingportion 65 decrypts the individual key K_(i) encrypted with thedistribution key K_(d) inputted in Step S225, with the encryption unit111 of the encryption/decryption module 96, using the distribution keyK_(d) supplied from the memory module 92. Then, the controlling portion91 of the cipher processing portion 65 decrypts the content key K_(co)encrypted with the individual key K_(i) inputted in Step S225, with thedecryption unit 111 of the encryption/decryption module 96, using theindividual key K_(i). And, the controlling portion 91 of the cipherprocessing portion 65 encrypts again the content key K_(co) with theencryption unit 112 of the encryption/decryption module 96, using thetemporary key K_(temp) shared with the stationary apparatus 52 duringcross authentication in Step S220. In step S229, the controlling portion91 of the cipher processing portion 65 generates the signature for thecontent key K_(co) encrypted with the temporary key K_(temp) and thelicense condition information generated in Step S226, using thesignature generation unit 114 of the encryption/decryption module 96,and sends the signature to the host controller 62. The host controller62 of the home server 51, which receives the content key K_(co)encrypted with the temporary key K_(temp), the license conditioninformation and their signatures, reads the contents encrypted with thecontent key K_(co) (Including signatures. Same in the following) fromthe large capacity storing portion 68, and sends the content key K_(co)encrypted with the temporary key K_(temp), the license conditioninformation, their signatures and the contents encrypted with thecontent key K_(co) to the stationary apparatus 52.

In Step S230, the stationary apparatus 52, which receives the contentkey K_(co) encrypted with the temporary key K_(temp), the licensecondition information, their signatures and the contents encrypted withthe content key K_(co), verifies the signature, followed by outputtingthe contents encrypted with the content key K_(co) to the recording andplaying portion 76 of the stationary apparatus 52. The recording andplaying portion 76 of the stationary apparatus 52, which receives thecontents encrypted with the content key K_(co), stores the contentsencrypted with the content key K_(co) in the recording medium 80.

In Step S231, the cipher processing portion 73 of the stationaryapparatus 52 decrypts the content key K_(co) encrypted with thetemporary key K_(temp), with the decryption unit of theencryption/decryption module, using the temporary key K_(temp) sharedwith the home server 51 during cross authentication in Step S220. And,the controlling portion of the cipher processing portion 73 encryptsagain the content key K_(co) with the encryption unit of theencryption/decryption module, using the save key K_(save) 2 suppliedfrom the memory module of the cipher processing portion 73.

In Step S232, the cipher processing portion 73 of the stationaryapparatus 52 sends the content key K_(co) encrypted with the save keyK_(save) 2 and the license condition information received in Step S230to the external memory controlling portion of the cipher processingportion 73, and has the same stored in the external memory 79.Processing where the external memory controlling portion writes data inthe external memory has been already described with reference to FIG.69, detailed description thereof is thus omitted.

In this way, the home server 51 purchases content usage right, theaccounting information is stored at the home server 51 side, and theusage right is delivered to the stationary apparatus 52.

FIG. 75 is a flow chart showing processing where the home server 51changes the content usage right that has been already purchased toanother usage pattern and purchases it. Step S240 to Step S245 of FIG.75 are processes similar to those described with reference to FIG. 67,and description thereof is thus omitted. In Step S246, the cipherprocessing portion 65 of the home server 51 makes the external memorycontrolling portion 97 of the cipher processing portion 65 read out thelicense condition information of the contents of which usage right ischanged. Read-out of data from the external memory 67 has been describedreferring to FIG. 68, and detailed description thereof is thus omitted.In the case where the license condition information can be normally readout in Step S246, advancement to Step S247 is made.

In Step S247, the host controller 62 of the home server 51 displaysinformation of contents of which usage right content can be changed (forexample, usage patterns and prices of which usage right content can bechanged) using the displaying means 64, and user selects usage rightcontents update condition using the inputting means 63. A signalinputted from the inputting means 63 is sent to the host controller 62of the home server 51, and the host controller 62 generates a usageright contents changing demand based on the signal and inputs the usageright contents changing demand in the cipher processing portion 65 ofthe home server 51. The cipher processing portion 65, which receivesthis, generates accounting information and new license conditioninformation from the handling policy received in Step S243, the priceinformation received in Step S245 and the license condition informationread out in Step S247.

Step S248 is similar to Step S171 of FIG. 67, and detailed descriptionthereof is thus omitted. In Step S249, the controlling portion 91 of thecipher processing portion 65 outputs the license condition informationgenerated in Step S247 to the external memory controlling portion 97 ofthe cipher processing portion 65. The external memory controllingportion 97 rewrites and updates in the external memory 67 the receivedlicense condition information. A method for rewriting (updating) in theexternal memory 67 of the external memory controlling portion 97 hasbeen described with reference to FIG. 70, and detailed descriptionthereof is thus omitted.

In Step S246, if license condition information corresponding to thecontent ID added to the right contents changing command is not found inthe external memory 67, or if a tamper is found in the memory block ofthe external memory in which the license condition information is stored(already described referring to FIG. 68), advancement to Step S251 ismade, and predetermined error processing is performed.

In this way, the home server 51 may purchase new right using the rightthat has been already purchased, and the handling-policy and priceinformation to change usage right contents.

FIG. 76 and FIG. 77 show specific examples of the rule component of thehandling policy and price information. In FIG. 76, the handling policyis constituted by a rule number added as a reference number for eachusage right, a usage right content number indicating the usage rightcontents, its parameter, a minimum selling price and the rate ofbenefits of the content provider, and in this handling policy aredescribed five rules, for example. For the rule 1, since the right itemis of usage right content number 1, it is understood from FIG. 44 thatthe right is playback right and right with no limit on time and thenumber of times. Also, it is understood that there is no particulardescription in the parameter item. The minimum-selling price is ¥350.The earnings of the content provider 2 are 30% of the price. For therule 2, since the right item is of usage right content number 2, it isunderstood from FIG. 44 that the right is playback right and right withlimit on time and no limit on the number of times. Also, it isunderstood from the parameter item that the period limited for use isone hour. The minimum-selling price is ¥100, and the earnings of thecontent provider 2 is 30% of the price. For the rule 3, since the rightitem is of usage right content number 6, it is understood from FIG. 44that the right is replication right (with no copy control signal), andright with no limit on time and with limit on the number of times. Also,it is understood from the parameter item that the number of timeslimited for use is one. The minimum-selling price is ¥30, and theearnings of the content provider 2 are 30% of the price.

For the rule 4, since the right item is of usage right content number13, it is understood from FIG. 44 that the right is change of usagecontents. It is understood from the parameter item that changeable rulenumbers are from #2 (playback right, with limit on time and no limit onthe number of times) to #1 (playback right wit no limit on time and thenumber of times). The minimum-selling price is ¥200, and the earnings ofthe content provider 2 are 20% of the price. The minimum-selling pricepresented is lower that that of the rule 1 because it is intended thatthe right already purchased is taken as a trade-in and repurchased, andthe earnings of the content provider 2, which are presented, are lowerthan those of the rule 1 for the purpose of increasing the earnings ofthe electronic distribution service center 1 that is involved inpractical works (Because the content provider 2 has no works when theright contents are changed).

For the rule 5, since the right item is of usage right content number14, it is understood from FIG. 44 that the right is redistribution. Itis understood from the parameter item that the redistribution enablingcondition is that the apparatus having the rule number #1 (playbackright with no limit on time and the number of times) purchases andredistributes the rule number 1 (playback right with no limit on timeand the number of times). The minimum-selling price is ¥250, and theearnings of the content provider 2 are 20% of the price. Theminimum-selling price presented is lower than that of the rule 1 becausethe apparatus having right already purchased intends to repurchase theright for the same contents, and the earnings of the content provider 2,which are presented, are lower than those of the rule 1 for the purposeof increasing the earnings of the electronic distribution service center1 that is involved in practical works (Because the content provider 2has no works during redistribution).

In FIG. 77, price information is constituted by a rule number added as areference number for each usage right, a parameter and priceinformation, and in this price information are also described fiverules. The rule 1 is price information for the rule #1 of the handlingpolicy, and shows that the price is ¥500 and the earnings of the serviceprovider 3 are 30% when the usage right content number #1 is purchased.Thus, of ¥500 paid by the user, the content provider 2 will take ¥150,the service provider 3 ¥150, and the electronic distribution servicecenter 1 ¥200. The rules 2 to 5 are in a similar way, and detaileddescription thereof is thus omitted.

Furthermore, in the rules 4 and 5, the earnings of the service provider2 are smaller than those of the rule 1 because the user apparatusperform distribution operations of the service provider 2 as a proxy,and collection of paid money is performed by the electronic distributionservice center 1.

Also, in this example, rule numbers are consecutive numbers from #1 to#5, but the numbers are not necessarily consecutive. The creator definesa usage right number and a parameter for each rule number and arrangesthose extracted therefrom, which does not result in consecutive numbersin general.

FIG. 78 shows a specific example in the case of performing change ofright contents described with reference to FIG. 75. The handling policyis constituted by a rule number added as a reference number for eachusage right, a usage content number indicating the usage right contents,its parameter, a minimum-selling price and the rate of benefits of thecontent provider, the price information is constituted by a rule numberadded as a reference number for each usage right, a parameter and aprice information and the license condition information is constitutedby a rule number added as a reference number for each usage right, ausage right content number indicating the usage right content and itsparameter. The home server 51 has already purchased playback right ofrule number #2, right with limit on time, the rule number #2 isdescribed in the license condition information indicating the rightcontents, and usage possible time is remaining thirty minutes,indicating that total two hours's purchase has been made up to thepresent time. If a change from right with limit on time to right nolimit on time is to be made, now, it is understood, from the rule 3 ofthe handling policy, the rule 3 of the price information and the licensecondition information, that a change to playback right with no limit ontime and the number of times can be made with ¥200, and the licensecondition information changes to the role number #1, playback right ofthe usage right content number, with no limit on time and the number oftimes (The parameter in the case of usage right content number #1 willbe described later. Also, as for this example, right with limit on timeis once purchased, and then its right contents are changed, resulting inlower costs compared to cases where playback right with no limit on timeand the number of times is directly purchased. Therefore, it isadvisable to see total usage time to give a discount).

FIG. 79 is a flow chart explaining a detailed process in which homeserver 51 purchases content usage right for the stationary apparatus 52,and redistributes the usage right. Step S260 to Step S264 are similar toStep S220 to Step S225 of FIG. 74, and detailed description thereof isthus omitted. In Step S265, the cipher processing portion 65 of the homeserver 51 makes the external memory controlling portion 97 of the cipherprocessing portion 65 read from the external memory 67 the licensecondition information corresponding to the contents to be redistributedand the content key K_(co) encrypted with the save key K_(save). Amethod of reading from the external memory 67 by the externalcontrolling portion 97 has been described with reference to FIG. 68, anddetailed description thereof is thus omitted. If the reading issuccessful, advancement to Step S266 is made.

In Step S266, the host controller 62 of the home server 51 displaysinformation of re-distributable contents (for example, usage patternsand prices of re-distributable contents), using the displaying means 64,and the user selects redistribution conditions using the inputting means63. Furthermore, this selection processing may be performed in advancewhen the redistribution processing is started. A signal inputted fromthe inputting means 63 is sent to the host controller 62 of the homeserver 51, and the host controller 62 generates a redistribution commandbased on the signal and inputs the redistribution command in the cipherprocessing portion 65 of the home server 51. The cipher processingportion 65, which receives this, generates accounting information andnew license condition information from the handling policy and the priceinformation received in Step S264 and the license condition informationread out in Step S265.

Step S267 is similar to Step S171 of FIG. 67, and detailed descriptionthereof is thus omitted. In Step S268, the controlling portion 91 of thecipher processing portion 65 decrypts the content key K_(co) encryptedwith the save key K_(save) read out in Step S265, with the decryptionunit 111 of the encryption/decryption module 96, using the save keyK_(save) supplied from the memory module 92. And, the controllingportion 91 of the cipher processing portion 65 encrypts again thecontent key K_(co) with the encryption unit 112 of theencryption/decryption module 96, using the temporary key K_(temp) sharedwith the stationary apparatus 52 during cross authentication in StepS260. Finally, the signature generation unit 114 of theencryption/decryption module 96 generates the signature corresponding tothe new license condition information generated in Step S266, and sendsthe signature to the controlling portion 91 of the cipher processingportion 65.

Processes of Step S269 to Step S272 are similar to those of Step S229 toStep S232, and detailed description thereof is thus omitted.

In this way, the home server 51 can perform redistribution of thecontents, by creating new license condition information from the usageright (license condition information) retained on its own and thehandling policy and price information, and sending the new licensecondition information to the stationary apparatus 52 together with thecontent key K_(co) and the contents retained on its own.

FIG. 80 is a flow chart explaining a detailed process in which the homeserver 51 sends license condition information and the content key K_(co)for the stationary apparatus 52 to purchase content usage right by thestationary apparatus 52. In step S280, the cipher processing portion 73of the stationary apparatus 52 determines whether or not a total chargefor the accounting information stored in the memory module of the cipherprocessing portion 73 has reached an upper limit, and if the upper limithas not been reached, then advancement to Step S281 is made(Furthermore, determination by limit on the number of accountinginstances is also possible instead of determination by upper limit on atotal charge).

In Step S281, the host controller 72 of the stationary apparatus 52inputs in the cipher processing portion 73 the registration informationread from the small capacity storing portion 75 of the stationaryapparatus 52. The cipher processing portion 73, which receives theregistration information, verifies the signature of the registrationinformation with the signature verification unit of theencryption/decryption module (not shown), followed by determiningwhether the item of “purchase processing” for the ID of the stationaryapparatus 52 is “purchase possible”, and then proceeds to Step S282 ifit is “purchase possible”.

Step S282 is similar to Step S220 of FIG. 74, and detailed descriptionthereof is thus omitted. Step S283 is similar to Step S221 of FIG. 74,and detailed description thereof is thus omitted (The home server 51determines whether or not the stationary apparatus 52 is registered, andthe stationary apparatus 52 determines whether or not the home server 51is registered). Step S284 is similar to Step S265 of FIG. 79, anddetailed description thereof is thus omitted. Step S285 is similar toStep S268 of FIG. 79, and detailed description thereof is thus omitted.In step S286, the controlling portion 91 of the cipher processingportion 65 generates the signature for the content key K_(co) encryptedwith the temporary key K_(temp) and the license condition informationread out in Step S284, using the signature generation unit 114 of theencryption/decryption module 96, and sends the signature to the hostcontroller 62. The host controller 62 of the home server 51, whichreceives the content key K_(co) encrypted with the temporary keyK_(temp), the license condition information and signatures thereof,reads the contents encrypted with the content key K_(co), and thehandling policy and the signature thereof, and price information and thesignature thereof as necessary from the large capacity storing portion68, and sends to the stationary apparatus 52 the content key K_(co)encrypted with the temporary key K_(temp), the license conditioninformation, signatures thereof, the contents encrypted with the contentkey K_(co), the handling policy and the signature thereof, and the priceinformation and the signature thereof.

Step S287 is similar to Step S230 of FIG. 74, and detailed descriptionthereof is thus omitted. Step S288 is similar to Step S225 of FIG. 74,and detailed description thereof is thus omitted. Step S288 is similarto Step 225 of FIG. 74, and detailed description thereof is thusomitted. In Step S289, the host controller 72 of the stationaryapparatus 52 displays information of re-distributable contents (forexample, usage patterns and prices of re-distributable contents), usingthe displaying means 78, and the user selects redistribution conditionsusing the inputting means 77. Furthermore, this selection processing maybe performed in advance when the redistribution processing is started. Asignal inputted from the inputting means 77 is sent to the hostcontroller 72 of the stationary apparatus 52, and the host controller 72generates a redistribution command based on the signal and inputs theredistribution command in the cipher processing portion 73 of thestationary apparatus 52. The cipher processing portion 73, whichreceives this, generates accounting information and new licensecondition information from the handling policy, price information andthe license condition information read out in Step S286.

In Step S290, the cipher processing portion 73 of the stationaryapparatus 52 stores the accounting information generated in Step S289 inthe memory module (not shown) of the cipher processing portion 73. Instep S291, the cipher processing portion 73 of the stationary apparatus52 decrypts the content key K_(co) encrypted with the temporary keyK_(temp) received in Step S286, with the decryption unit (not shown) ofthe cipher processing portion 73, using the temporary key K_(temp)shared in Step S282. And, the cipher processing portion 73 of thestationary apparatus 52 encrypts the content key K_(co) with theencryption unit (not shown) of the cipher processing portion 73, usingthe save key K_(save) 2 supplied from the memory module (not shown) ofthe cipher processing portion 73.

In Step S292, the cipher processing portion 73 of the stationaryapparatus 52 sends the license condition information generated in StepS289 and the content key K_(co) encrypted with the save key K_(save) 2,generated in Step S291, to external memory controlling portion (notshown) of the cipher processing portion 73. The external memorycontrolling portion, which receives license condition information andthe content key K_(co) encrypted with the save key K_(save) 2, writes inthe external memory 79 the license condition information and the contentkey K_(co) encrypted with the save key K_(save) 2. A tamper check whenwrite is performed has been described using FIG. 69, and detaileddescription thereof is thus omitted.

In this way, the stationary apparatus 52 receives from the home server51 the usage right (license condition information), the handling policy,price information, the content key K_(co) and the contents which areretained by the home server 51, and creates new license conditioninformation, thereby being able to receive redistribution of thecontents.

FIG. 81 explains management transfer right. Management transfer is anoperation by which playback right can be transferred from an apparatus 1to an apparatus 2, and the transfer is same as a usual transfer in thatright is transferred from the apparatus 1 to the apparatus 2, but isdifferent from a usual transfer in that the apparatus 2 cannotretransfer the received playback right (The apparatus 1, after transferof playback right, cannot retransfer the playback light, as in the caseof a usual transfer). The apparatus 2, which receives the playback rightthrough management transfer, can give the playback right back to theapparatus 1, and after it is given back, the apparatus 1 can transferthe playback right again, but the apparatus 2 is still unable to do so.For achieving those, purchasers of management transfer right and currentowners of management transfer right are managed with license conditioninformation (Although it is assumed here that management transfer ispossible only when having the usage right content number #1, it may beextended for the usage right content number #2).

In FIG. 81, the rule 1 of the handling policy has been described withreference to FIG. 78, detailed description thereof is thus omitted. Forthe rule 2, since the right item is of usage right content number 16, itis understood from FIG. 44 that the right is management transfer right.Also, it is understood that there is no particular description in theparameter item. The minimum-selling price is ¥100, and the earnings ofthe content provider 2 are 50% of the price. The earnings of the contentprovider 2 presented are higher that those of the rule 1, because theservice provider 3 does not carry out practical works at all, and thusits earnings are added to the earnings of the content provider 2.

In FIG. 81, the rule 1 of price information has been described withreference to FIG. 78, and detailed description thereof is thus omitted.The rule 2 is price information for the rule #2 of the handling policy,and shows that the price is ¥100 and the earnings of the serviceprovider 3 is 0% when the usage right content number #16 is purchased.Thus, of ¥100 paid by the user, the content provider 2 will take ¥50,the service provider 3 ¥0, and the electronic distribution servicecenter 1 ¥50.

In FIG. 81, the user first purchases the rule number #1 (playback right,with no limit on time and the number of times). However, the user doesnot have management transfer right at this time (state of (a) of FIG.81). Then, the user purchases management transfer right (Because theseoperations occur instantly, it seems as if the user purchased themtogether). For the rule number of license condition information, the IDof the cipher processing portion representing a purchaser (herein afterreferred to as a purchaser) is ID 1 (for example, the ID of the homeserver 51), and the ID of the cipher processing portion possessingplayback right (hereinafter, referred to as a possessor) is ID 2 (stateof (b) of FIG. 81). When this is transferred to the stationary apparatus52 by performing management transfer, for the rule component of thelicense condition information possessed by the home server 51, thepurchaser is still ID 1, but the possessor changes to ID 2. Also, therule component of the license condition information possessed by thestationary apparatus 52 receiving playback right through managementtransfer, in which the purchaser is ID 1 and the possessor is ID 2, issame as the case of the license condition information of the home server51.

FIG. 82 is a flow chart explaining detailed transfer processing ofmanagement transfer right. In FIG. 82, Step S300 is similar to Step S220in FIG. 74, and detailed description thereof is thus omitted. Also, StepS301 is similar to Step S221 in FIG. 74, and detailed descriptionthereof is thus omitted. Step S302 is similar to Step S246 in FIG. 75,and detailed description thereof is thus omitted. In Step S303, thecipher processing portion 65 of the home server 51 examines the rulecomponent of the read license condition information, and determineswhether the usage right is playback right with no limit on time and thenumber of times and with management transfer right. If it is determinedthat there is management transfer right, advancement to Step S304 ismade.

In Step S304, the controlling portion 91 of the cipher processingportion 65 determines whether both the purchaser and the possessor ofthe management transfer right are the ID of the home server 51. If it isdetermined that the purchaser and the possessor of the managementtransfer right are the ID of the home server 51, advancement to StepS305 is made. In Step S305, the controlling portion 91 of the cipherprocessing portion 65 rewrites the possessor of the management transferright of license condition information to the ID of the stationaryapparatus 52. In Step S306, the controlling portion 91 of the cipherprocessing portion 65 outputs the license condition informationrewritten in Step S305 to the external memory controlling portion 97 ofthe cipher processing portion 65. The external memory controllingportion 97 of the cipher processing portion 65, which receives thelicense condition information, overwrites the license conditioninformation and stores it in the external memory 67. A method forrewriting and storing data in the external memory 67 has been describedwith reference to FIG. 70, and detailed description thereof is thusomitted. Step S307 to Step S311 are similar to Step S268 to Step S272 ofFIG. 79, and detailed description thereof is thus omitted.

If management transfer right is not included in the license conditioninformation in Step S303, and if the purchaser or the possessor ofmanagement transfer right is not the home server 51 in Step S304,processing is suspended.

In this way, the right to play back the contents can be transferred fromthe home server 51 to the stationary apparatus 52.

FIG. 83 is a flow chart explaining processing where management transferright is given back to the home server 51 that is a purchaser of themanagement transfer right from the stationary apparatus 52 currentlypossessing the management transfer right. In FIG. 83, Step S320 issimilar to Step S220 in FIG. 74, and detailed description thereof isthus omitted. Step S321 is similar to Step S221 in FIG. 74, and detaileddescription thereof is thus omitted, but it is assumed that the homeserver 51 and the stationary apparatus 52 mutually check that eachother's ID is registered. If it is determined that they are registered,advancement to Step S322 is made. Step S322 is similar to Step S246 inFIG. 75, and detailed description thereof is thus omitted, but it isassumed that the home server 51 and the stationary apparatus 52 mutuallyread the data of the same content ID. If data can be read from theexternal memory correctly, advancement to Step S323 is made. Step S323is similar to Step S303 in FIG. 82, and detailed description thereof isthus omitted, but it is assumed that the home server 51 and thestationary 52 mutually determine whether they have management transferright. If it is determined that they have management transfer right,advancement to Step S324 is made.

In Step S324, the cipher processing portion 65 of the home server 51determines whether the purchaser of management transfer right is the IDof the home server 51 and the possessor is the ID of the stationaryapparatus 52. If it is determined that the purchaser of managementtransfer right is the ID of the home server 51 and the possessor is theID of the stationary apparatus 52, advancement to Step S325 is made. Ina similar way, the cipher processing portion 73 of the stationaryapparatus 52 determines whether the purchaser of management transferright is the ID of the home server 51 and the possessor is the ID of thestationary apparatus 52. If it is determined that the purchaser ofmanagement transfer right is the ID of the home server 51 and thepossessor is the ID of the stationary apparatus 52, advancement to StepS325 is made.

In Step S325, the recording and playing portion 76 of the stationaryapparatus 52 deletes the contents from a recording medium 80 (However,since only encrypted data remains, it is not necessary to delete thecontents forcibly). In Step S326, the cipher processing portion 73 ofthe stationary apparatus 52 makes the external memory controllingportion (not shown) of the cipher processing portion 73 delete thecontent key K_(co) encrypted with the save key K_(save) 2 stored in theexternal memory 79 and the license condition information. A method ofdeletion in the external memory 79 has been described with reference toFIG. 71, and detailed description thereof is thus omitted.

In Step S327, the controlling portion 91 of the cipher processingportion 65 generates license condition information with the possessor ofmanagement transfer right of license condition information rewritten tothe ID of the home server 51. In Step S328, the controlling portion 91of the cipher processing portion 65 outputs the license conditioninformation generated in Step S327 to the external memory controllingportion 97 of the cipher processing portion 65. The external memorycontrolling portion 97 of the cipher processing portion 65, whichreceives the license condition information, overwrites the licensecondition information and stores it in the external memory 67. A methodof rewriting the license condition information and storing it in theexternal memory 67 has been described with reference to FIG. 70, anddetailed description thereof is thus omitted.

If registration information is tampered, and each other's apparatus IDis not registered in the home server 51 or the stationary apparatus 52in Step S321, and if the content key or license condition informationfor predetermined contents is not found, and the memory block includingthem are tampered in the home server 51 or the stationary apparatus 52in Step S322, advancement to Step S329 is made to perform errorhandling.

If there is no management transfer right in the license conditioninformation in the home server 51 or the stationary apparatus 52 in StepS323, and if the purchaser is not the home server 51 and the possessoris not stationary apparatus 52, processing is suspended.

In this way, the right to play back the contents can be given back tothe home server 51 from the stationary apparatus 52.

Furthermore, only a single contents, content key K_(co) and so on aredescribed, but there exist two or more as required.

Also, in this example, the content provider 2 and the service provider 3are addressed separately, but they may be integrated into one.Furthermore, the system of the content provider 2 may directly beapplied to the service provider 3.

(2) Encryption Processing by Use of the Individual Key

The content provider 2 encrypts the contents with the content keycreated on its own as described in terms of FIG. 9. Also, the contentprovider 2 receives the individual key specific to the content providerand the individual key encrypted with the distribution key from theelectronic distribution service center 1, and encrypts the content keywith the individual key. Thus, the content provider 2 supplies thecontents encrypted with the content key, the content key encrypted withthe individual key, and the individual key encrypted with thedistribution key to the user home network 5 via the service provider 3.

At the user home network 5, the individual key specific to the contentprovider 2 is decrypted using the distribution key received from theelectronic distribution service center 1. In this way, the user homenetwork 5 can decrypt the content key encrypted with the individual keyspecific to the content provider and supplied from the content provider2. The user home network 5 that obtains the content key can decrypt thecontents with the content key.

Here, while the individual key is specific for each content server,there is only one kind of distribution key. Thus, the user home network5 can decrypt the individual key from each content provider if havingone kind of distribution key. Therefore, the user home network 5 doesnot need to have the individual key specific for each content provider,and can purchase contents of all content providers only by having thedistribution key.

Also, each content provider cannot decrypt the individual key specificto another content provider (encrypted with the distribution key)because it has no distribution key. In this way, piracy of the contentsamong content providers can be prevented.

Now, in order to make clear the configuration of the embodimentdescribed above and each means of the invention described in Claims, acorresponding embodiment (one example, however) is added in theparenthesis following each means to describe the characteristics of thepresent invention as follows. Of course, however, this description doesnot mean that each means is limited to what is described.

That is, an information sending system of the present inventioncomprises a memory for storing individual keys (for example, a tamperresistant memory in FIG. 84), possessed by contents supplier or contentsseller sending information of contents and the like (for example,contents sending device 200 in FIG. 84), means for encrypting thecontent key K_(co) with the individual key K_(i) (for example, a dataencrypting portion 203 in FIG. 84), means for generating the handlingpolicy in which usage conditions of the content key K_(co), and so onare described (for example, a handling policy generating portion 206 inFIG. 84), means for generating digital signatures for various kinds ofdata (for example, a signature generating portion 207 in FIG. 84), meansfor verifying signature data generated for various kinds of datapossessed by the user (for example, content receiving device 210 in FIG.84) purchasing the contents (for example, a signature verifying portion222 in FIG. 84), means for comparing the ID indicating a generator ofthe content key K_(co) with the ID of a generator of the handling policy(for example, a comparator 226 in FIG. 84) and means for storing thedistribution key (for example, a tamper resistant memory 221 in FIG.84).

Also, the information sending system of the present invention comprisesa memory for storing individual keys (for example, the tamper resistantmemory 201 in FIG. 85), possessed by the content supplier or the contentseller sending information of contents and the like (for example, thecontent sending device in FIG. 85), a memory for storing keycertificates (for example, a memory 202 in FIG. 85), means forencrypting the content key K_(co) with the individual key K_(i) (forexample, the data encrypting portion 203 in FIG. 85), means forverifying signature data generated for various kinds of data possessedby the user (for example, the content receiving device 210 in FIG. 85)purchasing the contents (for example, the signature verifying portion222 in FIG. 85), and means for storing the distribution key (forexample, the tamper resistant memory 221 in FIG. 85).

(3) Remote Playback Process

A remote playback process in which a playback command is received by aapparatus that does not retain the playback right of the contents (forexample, the stationary apparatus 52) from a apparatus that retains thecontents (for example, the home server 51), and the contents are playedback.

FIG. 86 shows a remote playback process procedure, and first the contentID of the contents to be subjected to remote playback through inputoperations by the user is inputted in the host controller 62, and thenin Step S401, the home server 51 and the stationary apparatus 52 performcross authentication. The cross authentication process is similar tothat described with reference to FIG. 52, and description thereof isthus omitted. In Step S402, the host controller 62 of the home server 51makes the cipher processing portion 65 of the home server 51 examine theregistration information read from the large capacity storing portion 68of the home server 51. The cipher processing portion 65, which receivesthe registration information from the host controller 62, makes thesignature authentication unit 115 of the encryption/decryption module 96authenticate the signature added to the registration information withthe public key of the authenticator station 22 supplied from the memorymodule 92 of the cipher processing portion 65. After the verification ofthe signature is successful, whether the item of “registration” is“registration possible”, and if it is determined that the item is“registration possible”, then advancement to Step S403 is made.Furthermore, the stationary apparatus 52 also examines the registrationinformation, and determines that the home server 51 is “registrationpossible”.

In Step S403, the host controller 62 generates a playback commandincluding the content ID of the contents to be subjected to remoteplayback, and in following Step S404, the cipher processing portion 65of the home server 51 makes the external memory controlling portion 97of the cipher processing portion 65 read the license conditioninformation corresponding to the contents to be subjected to remoteplayback and the content key K_(co) encrypted with the save key K_(save)from the external memory 67. A method for reading data from the externalmemory 67 by the external memory controlling portion 97 is same as thatdescribed with reference to FIG. 68, and detailed description thereof isthus omitted. If they are read successfully, advancement to Step S405 ismade.

In Step S405, the decryption unit 111 of the encryption/decryptionmodule 96 decrypts the content key K_(co) read from the external memory67, with the save key K_(save) supplied from the memory module 92. InStep S406, the encryption unit 112 of the encryption/decryption module96 encrypts the content key K_(co) with the temporary key K_(temp),followed by encrypting the playback command with temporary key K_(temp)in step S407.

In following Step S408, the home server 51 reads the contents to besubjected to remote playback (encrypted with the content key K_(co))from the large capacity storing portion 68, sends this to the stationaryapparatus 52 together with the content key and the playback commandencrypted with the temporary key K_(temp) in Step S406 and Step S407described above.

In Step S409, the stationary apparatus 52 decrypts with the temporarykey K_(temp) the content key K_(co) and the playback command receivedfrom the home server 51, and in Step S410, the cipher processing portion73 and the extending portion 74 perform cross authentication and sharethe temporary key K_(temp) 2. And in Step S411, the cipher processingportion 73 encrypts the content key K_(co) and the playback command withthe temporary key K_(temp) 2 shared with the extending portion 74 inaforesaid Step S410. In Step S412, the cipher processing portion 73sends the content key K_(co) and the playback command encrypted withtemporary key K_(temp) 2 to the extending portion 74, and in Step S413,the extending portion 74 decrypts the content key K_(co) and theplayback command with the temporary key K_(temp) 2.

In Step S414, the extending portion 74 decrypts the contents receivedfrom the home server 51 in aforesaid Step S408, with content key K_(co)decrypted in aforesaid Step S413, in accordance with the playbackcommand decrypted in aforesaid Step S413. And in Step S415, theextending portion 74 extends the decrypted contents by a predeterminedsystem, for example a system such as ATRAC. In Step S 416, the hostcontroller 72 inserts the data indicated from the cipher processingportion 73 into the contents in the form of the electronic watermark. Inthis connection, the data that are passed from the cipher processingportion 73 to the extending portion 74 include not only the content keyK_(co) and the playback command, but also playback conditions (analogueoutput, digital output and output with copy control signals (SCMS)) andthe ID of the apparatus that has purchased content usage right. The datato be inserted is the ID of the apparatus that has purchased the contentusage right, namely the apparatus ID in license condition information,and so force. In Step S417, the extending portion 74 plays back musicthrough a speaker (not shown).

In the configuration described above, the home server 51 sends thecontents, the playback command of the contents and the content keyK_(co) to the stationary apparatus 52, whereby the stationary apparatus52 retaining no content playback right can play back the contents usingthe playback command and the content key K_(co) Thus, according to theaforesaid configuration, a plurality of apparatuses (such as stationaryapparatuses) connected to an apparatus retaining the contents (anapparatus having content playback right) can play back the contents.

(4) Booking Purchase Processing

Booking purchase processing in which the key of the contents isconverted in advance before the expiration date of the distribution keyis reached and booking purchase of the contents is performed will bedescribed. In Step S451 for the booking purchase processing procedureshown in FIG. 87, the home server 51 performs registration informationupdate determination processing and proceeds to Step S452. Registrationinformation update determination processing is same as that describedwith reference to FIG. 61 and FIG. 62, and detailed description thereofis thus omitted. In the booking purchase processing, however,determination of registration information update timing on the basis ofthe number of units purchased and the purchase amount of money describedwith reference to Step S601 and S602 of FIG. 61 is not necessarilyperformed.

In Step S452, the host controller 62 of the home server 51 inputs theregistration information read from the large capacity storing portion 68of the home server 51 in the cipher processing portion 65 of the homeserver 51. The cipher processing portion 65, which receives theregistration information, verifies the signature of the registrationinformation with the signature verification unit 115 of theencryption/decryption module 96, followed by determining whether or notthe items of “purchase processing” and “registration” for the ID of thehome server 51 are “purchase possible” and “registration possible”, andthen proceeds to Step S453 if they are “purchase possible” and“registration possible”. In Step S453, the host controller 62 of thehome server 51 inputs the public key certificate of the content provider2 read from the large capacity storing portion 68 of the home server 51in the cipher processing portion 65 of the home server 51. The cipherprocessing portion 65, which receives the public key certificate of thecontent provider 2, verifies the signature of the public key certificateof the content provider 2 with the signature verification unit 115 ofthe encryption/decryption module 96, followed by fetching the public keyof the content provider 2 from the public key certificate. As a resultof the verification of the signature, if it is confirmed that no tamperhas been made, the host controller 62 proceeds to Step S454.

In Step S454, the host controller 62 of the home server 51 inputs thecontent key K_(co) read from the large capacity storing portion 68 ofthe home server 51 in the cipher processing portion 65 of the homeserver 51. The cipher processing portion 65, which receives the contentkey K_(co), verifies the signature of the content key K_(co) with thesignature verification unit 115 of the encryption/decryption module 96,and if it is confirmed that no tamper has been made, then advancement toStep S455 is made.

In Step S455, the host controller 62 of the home server 51 inputs theindividual key K_(i) read from the large capacity storing portion 68 ofthe home server 51 in the cipher processing portion 65 of the homeserver 51. The cipher processing portion 65, which receives theindividual key K_(i), verifies the signature of the individual key K_(i)with the signature verification unit 115 of the encryption/decryptionmodule 96, and if it is confirmed that no tamper has been made, thenadvancement to Step S456 is made.

Here, if one signature is added for all of the content key K_(co)encrypted with the individual key K_(i) and the individual key K_(i)encrypted with the distribution key K_(d), Step S454 and Step S455 maybe merged together.

In Step S456, the controlling portion 91 of the cipher processingportion 65 decrypts the individual key K_(i) inputted in Step S455, withthe decryption unit 111 of the encryption/decryption module 96, usingthe distribution key K_(d) supplied from the memory module 92. Then, thecontrolling portion 91 of the cipher processing portion 65 decrypts thecontent key K_(co) inputted in Step S454, with decryption unit 111 ofthe encryption/decryption module 96, using the individual key K_(i) justdecrypted. Finally, the controlling portion 91 of the cipher processingportion 65 encrypts the content key K_(co) with the encryption unit 112of the encryption/decryption module 96, using the save key K_(save)supplied from the memory module 92.

In Step S457, the content key K_(co) encrypted with the save keyK_(save) is stored in the external memory 67 by way of the externalmemory controlling portion 97 of the cipher processing portion 65.

Also, if it is determined in Step S452 that the home server 51 is anapparatus incapable of performing purchase processing, if it isdetermined in Step S453 that the signature of the public key certificateof the content provider 2 is incorrect, or if it is determined in StepS454 that the signature of the content key K_(co) encrypted with theindividual key K_(i) is incorrect, or if it is determined in Step S455that the signature of the individual key K_(i) encrypted with thedistribution key K_(d) is incorrect, the home server 51 proceeds to StepS458 to perform error handling.

As described above, the home server 51 decrypts the content key K_(co)with the individual key K_(i), followed by encrypting again the contentkey K_(co) with the save key K_(save) and having the content key K_(co)stored in the external memory 67. Since this booking purchase processingdoes not involve actual purchase of the contents, out of purchaseprocessing described above in terms of FIG. 67, processing as toaccounting information in registration information update determinationprocessing of Step S161, processing as to purchased contentscorresponding to Step S164, processing as to the handling policycorresponding to Step S167, processing as to verification of the publickey of the service provider corresponding to Step S168, processing as toverification of the signature of the price information corresponding toStep S169, and processing of storing accounting information and licensecondition information corresponding to Step S170 to Step S172 are notnecessarily performed.

In this connection, in the case of the booking purchase processing ofFIG. 87, the home server 51 does not create license conditioninformation, but it is also possible to create license conditioninformation and define its usage right content number (namely, rightitem) as a state of not possessing right, such as an initial value (forexample, nonexistence #0).

In this way, in the booking purchase processing, the home server 51stores the content key K_(co) in the external memory 67 before theexpiration date of the distribution key K_(d) is reached, thereby makingit possible perform purchase regardless of the expiration date of thedistribution key K_(d) in terms of contents encrypted with the storedcontent key K_(co).

Now, processing of real purchase of the contents for which the bookingof purchase has been made by storing the content key K_(co) in theexternal memory 67 at the home server 51 will be described. In Step S471of the real purchase processing procedure shown in FIG. 88, the homeserver 51 performs registration information update determinationprocessing and proceeds to Step S472. Registration information updatedetermination processing is same as that described with reference toFIG. 61 and FIG. 62, and detailed description thereof is thus omitted.However, in this purchase processing, determination of registrationinformation update timing on the basis of the distribution key K_(d)described with Step S603 of FIG. 61 does not need to be performed.

In Step S472, the host controller 62 of the home server 51 inputs theregistration information read from the large capacity storing portion 68of the home server 51 in the cipher processing portion 65 of the homeserver 51. The cipher processing portion 65, which receives theregistration information, verifies the signature of the registrationinformation with the signature verification unit 115 of theencryption/decryption module 96, followed by determining whether theitems of “purchase processing” and “registration” for the ID of the homeserver 51 are “purchase possible” and “registration possible”, and ifthey are “purchase possible” and “registration possible”, thenadvancement to Step S473 is made. In Step S473, the host controller 62of the home server 51 inputs the public key certificate of the contentprovider 2, read form the large capacity storing portion 68 of the homeserver 51, in the cipher processing portion 65 of the home server 51.The cipher processing portion 65, which receives the public keycertificate of the content provider 2, verifies the signature of thepublic key certificate of the content provider 2 with the signatureverification unit 115 of the encryption/decryption module 96, followedby fetching the public key of the content provider 2 from the public keycertificate. As a result of the verification, if it is confirmed that notamper has been made, advancement to Step S474 is made.

In Step S474, the host controller 62 of the home server 51 inputs thecontents read from the large capacity storing portion 68 of the homeserver 51 in the cipher processing portion 65 of the home server 51. Thecipher processing portion 65, which receives the contents, verifies thesignature of the contents with the signature verification unit 115 ofthe encryption/decryption module 96, and if it is confirmed that notamper has been made, then advancement to Step S475 is made.

In Step S475, the host controller 62 of the home server 51 inputs thehandling policy read from the large capacity storing portion 68 of thehome server 51 in the cipher processing portion 65 of the home server51. The cipher processing portion 65, which receives the handlingpolicy, verifies the signature of the handling policy with the signatureverification unit 115 of the encryption/decryption module 96, and if itis confirmed that no tamper has been made, then advancement to Step S476is made. In Step S476, the host controller 62 of the home server 51inputs the public key certificate of the service provider 3 read fromthe large capacity storing portion 68 of the home server 51 in thecipher processing portion 65 of the home server 51. The cipherprocessing portion 65, which receives the public key certificate of theservice provider 3, verifies the signature of the public key certificateof the service provider 3 with the signature verification unit 115 ofthe encryption/decryption module 96, followed by fetching the public keyof the service provider 3 from the public key certificate. As a resultof the verification, if it is confirmed that no tamper has been made,the advancement to Step S477 is made.

In Step S477, the host controller 62 of the home server 51 inputs theprice information read from the large capacity storing portion 68 of thehome server 51 in the cipher processing portion 65 of the home server51. The cipher processing portion 65, which receives the priceinformation, verifies the signature of the price information with thesignature verification unit 115 of the encryption/decryption module 96,and if it is confirmed that no tamper has been made, the advancement toStep S478 is made.

In Step S478, the host controller 62 of the home server 51 displaysinformation of purchasable contents (for example, purchasable usagepatterns and prices) using the displaying means 64, and the user selectsa purchase item using the inputting means 63. Furthermore, processing ofselecting a purchase item may also be performed prior to real purchaseprocessing. A signal inputted from the inputting means 63 is sent to thehost controller 62 of the home server 51, and the host controller 62generates a purchase command based on the signal, and inputs thepurchase command in the cipher processing portion 65 of the home server51. The cipher processing portion 65, which receives this, generatesaccounting information and license condition information from thehandling policy inputted in Step S475 and the price information inputtedin Step S477. Accounting information is same as that described withreference to FIG. 42, and detailed description thereof is thus omitted.

In Step S479, the controlling portion 91 of the cipher processingportion 65 stores in the memory module 92 the accounting informationgenerated in Step S478. And in Step S480, the controlling portion 91 ofthe cipher processing portion 65 sends the license condition informationgenerated in Step S478 to the external memory controlling portion 97 ofthe cipher processing portion 65. The external memory controllingportion 97, which receives the license condition information, makes atamper check for the external memory 67, followed by writing the licensecondition information in the external memory 67. A tamper check when thelicense condition information is written is same as that described abovewith reference to FIG. 69, and detailed description thereof is thusomitted (Furthermore, in the case where license condition informationwith no right is already written, the license condition information isrewritten and updated by means of rewrite processing described withreference to FIG. 70).

In this connection, if it is determined in Step S472 that the homeserver 51 is an apparatus incapable of performing purchase processing,and that the home server 51 is not registered, or if it is determined inStep S473 that the signature of the public key certificate of thecontent provider 2 is incorrect, or if it is determined in Step S474that the signature of the contents encrypted with the content key K_(co)is incorrect, or if it is determined in Step S475 that the signature ofthe handling policy is incorrect, or it is determined in Step S476 thatthe signature of the public key certificate of the service provider 3 isincorrect, or if it is determined in Step S477 that the signature of theprice information is incorrect, the home server 51 proceeds to Step S481to perform error handling.

As described above, the home server 51 stores in the memory module 92the accounting information in terms of the content selected for purchaseby the user, and stores the license condition information in theexternal memory 67, thereby ending real purchasing processing of thecontents. In this real purchase processing, verification of thesignature of the content key K_(co) (Step S454) and verification of thesignature of the individual key K_(i) (Step S455) that have been alreadyperformed in the booking purchase processing described above withreference to FIG. 87, and processing of lock switching of the contentkey K_(co) (Step S456) are not performed.

In the configuration described above, the home server 51 stores thecontent key K_(co) in the external memory 67 through booking purchaseprocessing before the distribution key K_(d) is updated, whereby thecontent key K_(co) is already stored in the external memory 67 eventhough the distribution key K_(d) required when the content key K_(co)is decrypted is updated, thus making it possible to purchase thecontents after the expiration date of the distribution key K_(d) isreached.

(5) Proxy Purchase Processing

Proxy purchase processing in which the contents are exchanged betweenapparatuses different from each other in registration information(Registration List), namely apparatuses different from each other ingroups will be described. In this proxy purchase processing, in terms ofcases where the contents are exchanged between the home server 51 andportable devices and the like, which are non-group apparatuses asopposed to the home server 51, for example, the case where the homeserver 51 performs accounting and the case where the non-group apparatusperforms accounting will be described, respectively. In this case,description will be presented, considering the above describedstationary apparatus 52 as a non-group apparatus.

FIG. 89 shows a processing procedure where the home server 51 passes thecontents to the non-group apparatus and the home server 51 performsaccounting, and in Step S501, the home server 51 and the non-groupapparatus perform cross authentication. The cross authentication issimilar to that described with reference to FIG. 52, and descriptionthereof is thus omitted. In Step S502, the home server 51 and thenon-group apparatus mutually exchange the registration information witheach other, and then examine the registration information of the otherin Step S503.

That is, the home server 51 makes the cipher processing portion 65examine the registration information received from the non-groupapparatus. The cipher processing portion 65, which receives theregistration information from the non-group apparatus, makes thesignature verification unit 115 of the encryption/decryption module 96verify the signature added to the registration information with thepublic key supplied from the memory module 92 of the cipher processingportion 65. After the verification of the signature is successful, thecontrolling portion 91 of the cipher processing portion 65 determineswhether or not the ID of the non-group apparatus is registered in theregistration information and the items of “purchase processing” and“registration” are “purchase possible” and “registration possible”.Also, in a similar way, the non-group apparatus which receives theregistration information of the home server 51 determines whether or notthe ID of the home server 51 is registered in the registrationinformation of the home server 51 and the item of “registration” is“registration possible”. And, when it is mutually confirmed that eachother's apparatus is registered, the home server 51 proceeds to StepS504.

Step S504 to Step S510 are processes similar to those of Step S161 toStep S171, and detailed description thereof is thus omitted.

In Step S 511, the controlling portion 91 of the cipher processingportion 65 decrypts the individual key K_(i) encrypted with thedistribution key K_(d) inputted in Step S508, with the decryption unit111 of the encryption/decryption module 96, using the distribution keyK_(d) supplied from the memory module 92. Then, the controlling portion91 of the cipher processing portion 65 decrypts the content key K_(co)encrypted with the individual key K_(i) inputted in Step S508, with thedecryption unit 111 of the encryption/decryption module 96, using theindividual key K_(i) just decrypted. And, the controlling portion 91 ofthe cipher processing portion 65 encrypts again the content key K_(co)with the encryption unit 112 of the encryption/decryption module 9.6,using the temporary key K_(temp) shared with the non-group apparatusduring cross authentication in Step S501. In Step S512, the controllingportion 91 of the cipher processing portion 65 generates the signaturefor the content key K_(co) encrypted with the temporary key K_(temp) andthe license condition information generated in Step S509, using thesignature generation unit 114 of the encryption/decryption module 96,and sends the signature to the host controller 62. The host controller62 of the home server 51, which receives the content key K_(co)encrypted with the temporary key K_(temp), the license conditioninformation and their signatures, reads the contents encrypted with thecontent key K_(co) from the large capacity storing portion 68, and sendsthe content key K_(co) encrypted with the temporary key K_(temp), thelicense condition information, their signatures and the contentsencrypted with the content key K_(co) to the non-group apparatus.

In Step S513, the non-group apparatus, which receives the content keyK_(co) encrypted with the temporary key K_(temp), the license conditioninformation, their signatures and the contents encrypted with thecontent key K_(co), outputs the contents encrypted with the content keyK_(co) to the recording and playing portion 76 of the non-groupapparatus. The recording and playing portion 76 of the non-groupapparatus, which receives the contents encrypted with the content keyK_(co), stores in the recording medium 80 the contents encrypted withthe content key K_(co).

In Step S514, the cipher processing portion 73 of the non-groupapparatus verifies the signature received from the home server 51 inStep S512, and decrypts the content key K_(co) encrypted with thetemporary key K_(temp), with the decryption unit of theencryption/decryption module, using the temporary key K_(temp) sharedwith the home server 51 during cross authentication in Step S501. And,the controlling portion of the cipher processing portion 73 encryptsagain the content key K_(co) with the encryption unit of theencryption/decryption module, using the save key K_(save) 2 suppliedfrom the memory module of the cipher processing portion 73.

In Step S515, the cipher processing portion 73 of the non-groupapparatus sends the content key K_(co) encrypted with the save keyK_(save) 2 and the license condition information received in Step S513to the external memory controlling portion of the cipher processingportion 73, and has them stored in the external memory 79. Processingwhere the external memory controlling portion writes data in theexternal memory has been described with reference to FIG. 69, anddetailed description thereof is thus omitted.

In this way, the home server 51 purchases content usage right,accounting information is stored by the home server 51, and the usageright is passed to the non-group apparatus. By this, the home server 51pays for the content usage right passed to the non-group apparatus.

Then, FIG. 90 shows a processing procedure where the home server 51passes the contents to the non-group apparatus, and the non-groupapparatus performs accounting, and in Step S551, the non-group apparatusdetermines whether or not a total charge in the accounting informationstored in the cipher processing portion 73 (FIG. 15) has reached anupper limit, and if the upper limit has not been reached, thenadvancement to Step S552 is made (Furthermore, determination by an upperlimit on the number of accounting instances is also possible instead ofdetermination by the upper limit on the total charge).

In Step S552, the host controller 72 of the non-group apparatus inputsthe registration information read from the external memory 79 in thecipher processing portion 73. The cipher processing portion 73, whichreceives the registration information, verifies the signature of theregistration information with the signature verification unit of theencryption/decryption module provided therein, followed by determiningwhether the item of “purchase processing” for the ID of the non-groupapparatus (stationary apparatus 52) is “purchase possible”, and if it is“purchase possible”, then advancement to Step S553 is made.

In Step S553, the home server 51 and the non-group apparatus performcross authentication. The cross authentication is similar to the processdescribed with reference to FIG. 52, and description thereof is thusomitted. In Step S554, the home server 51 and the non-group apparatusexchange registration information with each other, and in following StepS553, they mutually examine each other's registration information.

That is, the home server 51 makes the cipher processing portion 65examine the registration information received from the non-groupapparatus. The cipher processing portion 65, which receives theregistration information from the non-group apparatus, makes thesignature verification unit 115 of the encryption/decryption module 96verify the signature added to the registration information with thepublic key supplied from the memory module 92 of the cipher processingportion 65. After the verification of the signature is successful, thecontrolling portion 91 of the cipher processing portion 65 determineswhether or not the ID of the non-group apparatus is registered in theregistration information and the item of “registration” is “registrationpossible”. Also, in a similar way, the non-group apparatus whichreceives the registration information of the home server 51 determineswhether or not the ID of the home server 51 is registered in theregistration information of the home server 51 and the item of“registration” is “registration possible”. Furthermore, the non-groupapparatus also performs similar processing. And, when it is mutuallyshown that the ID of the other apparatus is registered, the home server51 proceeds to Step S556.

In Step S556, the controlling portion 91 of the home server 51 reads thepurchased content key from the external memory 67 through the externalmemory controlling portion 97, and in following step S557, the homeserver 51 decrypts the content key K_(co) with the save key K_(save) andencrypts again the content key K_(co) with the temporary key K_(temp),and generates their signatures.

In Step S558, the home server 51 sends to the non-group apparatus thecontent key encrypted with the save key K_(temp) generated in S557, andthe contents, the handling policy and the price information read fromthe large capacity storing portion 68. In Step S559, the non-groupapparatus stores in the recording medium 80 the contents received fromthe home server 51.

In Step S560, the non-group apparatus (stationary apparatus 52) verifiesthe signature of the handling policy, price information and the like,and then in Step S561, the host controller 72 of the non-group apparatusdisplays information of purchasable contents (for example, purchasableusage patterns and prices) using the displaying means 78, and the userselects purchase items using the inputting means 77. Furthermore, theselection processing may be performed prior to proxy purchaseprocessing. A signal inputted from the inputting means 77 is sent to thehost controller 72, and the host controller 72 generates a purchasecommand based on the signal, and inputs the purchase command in thecipher processing portion 73. The cipher processing portion 73, whichreceives this, generates accounting information and license conditioninformation from the handling policy and the price information inputtedin Step S560. The accounting information has been described withreference to FIG. 42, and detailed description thereof is thus omitted.The license condition information has been described with reference toFIG. 41, and detailed description thereof is thus omitted.

In Step S562, the cipher processing portion 73 stores the accountinginformation generated in Step S561 in the memory module in the cipherprocessing portion 73. In Step S563, the cipher processing portion 73verifies the signature of the content key encrypted in Step S557 anddecrypts the content key with the temporary key K_(temp), and thenencrypts again the content key with the save key K_(save) 2. And in StepS564, the content key K_(co) encrypted with the save key K_(save) 2 isstored in the external memory 79 from the cipher processing portion 73.

In this way, the home server 51 passes the content usage right alreadypurchased to the non-group apparatus, and the non-group apparatus storesthe accounting information, whereby the non-group apparatus pays for thecontent usage right passed from the home server 51 outside the group.

In the configuration described above, as described with reference toStep S502 and Step S554, registration information is mutually exchangedbetween apparatuses different from each other in registrationinformation (Registration List), whereby the contents possessed by oneapparatus can be passed to the other apparatus after it is confirmedthat they are registered apparatuses, as described above in terms ofaforesaid Step S502 to Step S554. Thus, according to the aforesaidconfiguration, contents can be exchanged between apparatuses differentfrom each other in groups.

Furthermore, in the above described embodiment, the signature of thecontents is verified during purchase processing, but there may be caseswhere it is omitted because much time is required for processing. Also,there may be cases where in the handling policy or price information isincluded description about whether or not verification is needed, andoperations are performed in accordance therewith.

(6) Another Configuration of the Electronic Music Distribution System

FIG. 91 explains another configuration of an electronic musicdistribution system 400. In such an electronic music distribution system400, to an electronic distribution service center 401 of personalcomputer configuration are connected personal computers 403 and 406 forsignal processing (hereinafter referred to as signal processing personalcomputers), of content provider 404 consisting of two personal computers402 and 403 for content servers and for signal processing and of aservice provider 407 consisting of two personal computers 405 and 406for content servers and for signal processing, likewise.

Also, to the signal processing personal computer 406 of the serviceprovider 407 is connected the signal processing personal computer 403 ofthe content provider 404, and is connected a home server 409 of personalcomputer configuration provided in a user home network 408 via thenetwork 4.

And, the user home network 408 has a configuration in which a stationaryapparatus 410 such as a stationary-type recording and playing apparatusand a portable device 411 such as a portable recording and playingdevice and a portable communication terminal (a portable informationdevice, a cellular phone and the like) are connected to the home server409.

As shown in FIG. 92, the electronic distribution service center 401 hasa configuration in which a RAM (Random Access Memory) 417, a ROM (ReadOnly Memory) 418, a displaying portion 419, an inputting portion 420, ahard disk drive (HDD: Hard Disk Drive) 421, and a network interface 422are connected to a controlling portion 415 such as a CPU (CentralProcessing Unit) via a bus 416.

In this case, by reading out various kinds of programs stored in advancein the RPM 418 to develop them on the RAM 417, the controlling portion415 can perform processing as in the case of the service providermanaging portion 11, the content provider managing portion 12, thecopyright managing portion 13, the key server 14, the background datamanaging portion 15, the benefit distribution portion 16, the crossauthenticating portion 17, the user managing portion 18, the accountcharging portion 19, the banking portion 20 and the auditing portion 21of the electronic distribution service center 1 as described above withreference to FIG. 2, in accordance with various kinds of these programs.

Also, the controlling portion 415 retains and manages various kinds ofthese information by recording keys used for the whole system (such asthe distribution key K_(d) and individual key K_(i)), and various kindsof information such as accounting information, price information, thehandling policy and the user registration database in a hard disk of thehard disk drive 421.

Furthermore, the controlling portion 415 can communicate via the networkinterface 422 with the content provider 404, the service provider 407,the user home network 408, the JASRAC and the like, and by this, thecontrolling portion 415 can exchange the distribution key K_(d) and theindividual key K_(i) encrypted with the distribution key K_(d), andvarious kinds of information such as accounting information, priceinformation, the handling policy, registration information andutilization records of contents with the content provider 404, theservice provider 407, the user home network 408, JASRAC and the like.

In this way, the electronic distribution service center 401 of personalcomputer configuration can achieve functions similar to those of theelectronic distribution service center 1 described above with referenceto FIG. 2 in accordance with various kinds of programs.

In this connection, in the electronic distribution service center 401,use of the inputting portion 420 and the displaying portion 419 may beprevented and thus the inputting portion 420 and the displaying portion419 are not provided, but the inputting portion 420 and the displayingportion 419 may be used for confirming various kinds of informationrecorded in the hard disk drive 421 and so on.

Also, in the electronic distribution service center 401, various kindsof programs may be recorded in advance in the hard disk of the hard diskdrive 421 in place of the ROM 418.

FIG. 93 is a block diagram showing a configuration of the contentprovider 404, and the personal computer 402 for content servers(hereinafter referred to as personal computer for servers) has aconfiguration in which a RAM 427, a ROM 428, a displaying portion 429,an inputting portion 430, a hard disk drive 431 storing in the hard diskthe contents to be supplied to the user, and an IEEE (Institute ofElectrical and Electronics Engineers) 1394 interface 432 are connectedto a controlling portion 425 such as a CPU via a bus 426.

Also, in the content provider 404, the signal processing personalcomputer 403 has a configuration in which a RAM 437, a ROM 438, adisplaying portion 439, an inputting portion 440, a hard disk drive 441,a network interface 442 for connection to the electronic distributionservice center 401 and the service provider 407, and an IEEE 1394interface 444 that is connected via the IEEE 1394 interface 432 and anIEEE 1394 cable 443 of the personal computer 402 for servers areconnected to a controlling portion 435 such as a CPU via a bus 436.

In this case, the controlling portion 425 of the personal computer 402for servers operates according to a predetermined program stored inadvance in the ROM 428 by reading out the program and developing theprogram on the RAM 427, and when a read-of-contents instruction is sentvia the IEEE 1394 cable 443 from the controlling portion 435 of thesignal processing personal computer 403, the controlling portion 425captures the read instruction via the IEEE 1394 interface 432, reads thecontents from the hard disk of the hard disk drive 431 based on thecaptured read-of-contents instruction, and sends the read contents tothe signal processing personal computer 403 from the IEEE 1394 interface432 via the IEEE 1394 cable 443.

In this connection, in the personal computer 402 for servers, use of theinputting portion 430 and the displaying portion 429 may be preventedand thus the inputting portion 430 and the displaying portion 429 arenot provided, but the inputting portion 430 and the displaying portion429 may be used when the contents recorded in the hard disk drive 431 isconfirmed or contents are newly stored in the hard disk drive 431, andcontents are deleted and so on.

Also, in the personal computer 402 for servers, programs may be recordedin advance in the hard disk of the hard disk drive 431 in place of theROM 428.

On the other hand, in the content provider 404, the controlling portion435 of the signal processing personal computer 403 records theindividual key K_(i), the individual key K_(i) encrypted with thedistribution key K_(d), and the public key certificate of the contentprovider 404 in the hard disk of the hard disk drive 439, therebyretaining and managing the individual key K_(i), the individual keyK_(i) encrypted with the distribution key K_(d), and the public keycertificate of the content provider 404.

And, by reading out various kinds of predetermined programs stored inadvance in the ROM 438 to develop them on the RAM 437, the controllingportion 435 can perform processing as in the case of the electronicwatermark adding portion 32, the compressing portion 33, the contentencrypting portion 34, the content key generating portion 35, thecontent key encrypting portion 36, the handling policy generatingportion 37, the signature generating portion 38 and the crossauthenticating portion 39 as described above with reference to FIG. 9,in accordance with various kinds of these programs.

By this, the signal processing personal computer 403 can exchange thedistribution key K_(d), the individual key K_(i) encrypted with thedistribution key K_(d), the handling policy and the content providersecure container with the electronic distribution service center 401 andthe service provider 407 via the network interface 442.

In this way, the content provider 404 of personal computer configurationcan achieve functions similar to those of the content provider 2described above with reference to FIG. 9, in accordance with variouskinds of programs.

In this connection, in the signal processing personal computer 403, useof the inputting portion 440 and the displaying portion 439 may beprevented and thus the inputting portion 440 and the displaying portion439 are not provided, but the inputting portion 440 and the displayingportion 439 may be used for confirming the individual key K_(i), theindividual key encrypted with the distribution key K_(d) and the publickey certificate of the content provider 404 recorded in the hard diskdrive 441, and so on.

Also, in the signal processing personal computer 403, various kinds ofprograms may be recorded in advance in the hard disk of the hard diskdrive 441 in place of the ROM 438. Furthermore, in the signal processingpersonal computer 403, resistance to tamper may be imparted to the RAM437 to retain the individual key K_(i).

Furthermore, in the content provider 404, the signal processing personalcomputer 403 and the personal computer 402 for servers are connected viathe IEEE 1394 cable 443, but the signal processing personal computer 403and the personal computer 402 for servers may be cable-connected via theUSB (Universal Serial Bus) cable, the RS-232C cable and the like, orwirelessly connected via predetermined wireless communicating means.

FIG. 94 is a block diagram showing a configuration of the serviceprovider 407, and the personal computer 405 for servers has aconfiguration in which a RAM 447, a ROM 448, a displaying portion 449,an inputting portion 450, a hard disk drive 451 storing in the hard discthe content provider secure container and the public key certificate ofthe content provider 404, and an IEEE 1394 interface 452 are connectedto a controlling portion 445 such as the CPU via a bus 446.

Also, in the service provider 407, the signal processing personalcomputer 406 has a configuration in which a RAM 456, a ROM 457, adisplaying portion 458, an inputting portion 449, a hard disk drive 460,a network interface 461 for connection to the electronic distributionservice center 401 and the content provider 404, an IEEE 1394 interface463 that is connected to the IEEE 1394 interface 452 of the personalcomputer 405 for servers via an IEEE 1394 cable 462, and a modem 464 forconnection to the user home network 408 via the network 4 are connectedto a controlling portion 454 such as the CPU via a bus 455.

In this case, the controlling portion 445 of the personal computer 405for servers operates in accordance with a predetermined program byreading out the program stored in advance in the ROM 448 to develop theprogram on the RAM 447, and when the content provider secure containerand the public key certificate of the content provider 404 together witha write instruction to write them are given from the controlling portion454 of the signal processing personal computer 406 via the IEEE 1394cable 462, the controlling portion 445 captures them via the IEEE 1394interface 452 and writes the content provider secure container and thepublic key certificate of the content provider 404 in the hard disk ofthe hard disk drive 451 based on the captured write instruction, andwhen a read instruction to read the content provider secure containerand the public key certificate of the content provider 404 is given fromthe controlling portion 454 of the signal processing personal computer406 via the IEEE 1394 cable 462, the controlling portion 445 capturesthe read instruction via the IEEE 1394 interface 452, reads the contentprovider secure container and the public key certificate of the contentprovider 404 from the hard disk of the hard disk drive 451 based on thecaptured read instruction, and sends the read content provider securecontainer and public key certificate of the content provider 404 to thesignal processing personal computer 406 from the IEEE 1394 interface 452via the IEEE 1394 cable 462.

In this connection, in the personal computer 405 for servers, use of theinputting portion 450 and the displaying portion 449 may be usuallyprevented, and thus the inputting portion 450 and the displaying portion449 are not provided, but the inputting portion 450 and the displayingportion 449 may be used for confirming the content provider securecontainer, the public key certificate of the content provider 404 andthe like recorded in the hard disk drive 451, and so on.

Also, in the personal computer 405 for servers, programs may be recordedin advance in the hard disk of the hard disk drive 451 in place of theROM 448.

On the other hand, in the service provider 407, the controlling portion454 of the signal processing personal computer 406 records the publickey certificate of the service provider 407 in the hard disk of the harddisk drive 460, and imparts tamper resistance to the RAM 456 to retainand manage the secret key of the service provider 407.

And, by reading out various kinds of predetermined programs stored inadvance in the ROM 457 to develop them on the RAM 456, the controllingportion 454 can perform processing as in the case of the certificateverifying portion 42, the signature verifying portion 43, the pricingportion 44, the signature generating portion 45 and the crossauthenticating portion 46 of the service provider 3 described above withreference to FIG. 14, in accordance with various kinds of theseprograms.

By this, the signal processing personal computer 406 can exchange priceinformation, the content provider secure container and the like with theelectronic distribution service center 401 and the content provider 407via the network interface 442, and can send the service provider securecontainer to the user home network 408 via the modem 464.

In this way, the service provider 407 of personal computer configurationcan achieve functions similar to those of the service provider 3described above with reference to FIG. 14 in accordance with variouskinds of programs.

In this connection, in the signal processing personal computer 406, useof the inputting portion 459 and the displaying portion 458 may beusually prevented, and thus the inputting portion 459 and the displayingportion 458 are not provided, but the inputting portion 459 and thedisplaying portion 458 may be used for confirming the public keycertificate of the service provider 407 and the like recorded in thehard disk drive 460.

Also, in the signal processing personal computer 406, various kinds ofprograms may be recorded in advance in the hard disk of the hard diskdrive 460 in place of the ROM 457.

Furthermore, in the service provider 407, the signal processing personalcomputer 406 and the personal computer 405 for servers are connected viathe IEEE 1394 cable 462, but the signal processing personal computer 406and the personal computer 405 for servers may be cable-connected via apredetermined signal cable such as the USB cable and the RS-232C cable,or wirelessly connected via predetermined wireless communicating means.

FIG. 95 is a block diagram showing a configuration of the user homenetwork, and the home server 409 of personal computer configuration hasa configuration in which a RAM 467, a ROM 468, a displaying portion 469,an inputting portion 470, a hard disk drive 471, an IEEE 1394 interface472, a modem 473 for connection to the service provider 407 via thenetwork 4, and a network interface 474 for connection to the electronicdistribution service center 401 are connected to a controlling portion465 such as the CPU via a bus 466.

Also, in the user home network 408, the stationary apparatus 410 has aconfiguration in which a RAM 477, a ROM 478, a displaying portion 479,an inputting portion 480, a recording and playing portion 481, a mediainterface 483 for a recording medium 482, and an IEEE 1394 interface 485that is connected to the IEEE 1394 interface 472 of the home server viaan IEEE 1394 cable 484 are connected to a controlling portion 475 suchas the CPU via a bus 476.

Furthermore, in the user home network 408, the portable device 411 has aconfiguration in which a RAM 492, a ROM 493, a displaying portion 494,an inputting portion 495, and an IEEE 1394 interface 497 that isconnected to the IEEE 1394 interface 472 of the home server via an IEEE1394 cable 496 are connected to a controlling portion 490 such as theCPU via a bus 491.

In this case, by reading out various kinds of programs stored in advancein the ROM 468 to develop them on the RAM 467, the controlling portion465 of the home server 409 can perform processing as in the case of hostcontroller 62, the cipher processing portion 65 and the extendingportion 66 of the home server 51 described above with reference to FIG.15, in accordance with various kinds of these programs.

Also, the displaying portion 469 of the home server 409 has functionssimilar to those of the displaying portion 64 of the home server 51described above with reference to FIG. 15, and the inputting portion 470of the home server 409 has functions similar to those of the inputtingportion 63 of the home server 51 described above with reference to FIG.15. Furthermore, the hard disk drive 471 of the home server 409 hasfunctions similar to those of the large capacity storing portion 68 ofthe home server 51 described above with reference to FIG. 15, the modem473, the network interface 474 and the IEEE 1394 interface 472 havefunctions similar to those of the communicating portion 61 of the homeserver 51 described above with reference to FIG. 15, and the RAM 467 ofthe home server 409 has functions similar to those of the externalmemory 67 of the home server 51 described above with reference to FIG.15.

Thus, the home server 409 of personal computer configuration can achievefunctions similar to those of the home server 51 described above withreference to FIG. 15 in accordance with various kinds of programs.

In this connection, in the home server 409, various kinds of programsmay be recorded in advance in the hard disk of the hard disk drive 471in place of ROM 468, and the hard disk drive 471 may be made to functionas in the case of the external memory 67 described above with referenceto FIG. 15. Also, in the home server 409, the modem 473 and the networkinterface 474 may be integrated into one interface such as a modem,depending on patterns of communication with the service provider 407 andthe electronic distribution service center 401. Furthermore, in the homeserver 409, the stationary apparatus 410 and the portable device 411 maybe cable-connected via a predetermined signal cable such as the USBcable and the RS-232C cable, or wirelessly connected via predeterminedwireless communicating means.

On the other hand, in the user home network 408, by reading out variouskinds of programs stored in advance in the ROM 478 to develop them onthe RAM 477, the controlling portion 475 of the stationary apparatus 410can perform processing as in the case of the host controller 72, thecipher processing portion 73 and the extending portion 74 of thestationary apparatus 52 described above with reference to FIG. 15, inaccordance with various kinds of these programs.

Also, the displaying portion 479 of the stationary apparatus 410 hasfunctions similar to those of the displaying portion 78 of thestationary apparatus 52 described above with reference to FIG. 15, theinputting portion 480 has functions similar to those of the inputtingportion 77 of the stationary apparatus 52 described above with referenceto FIG. 15, and the IEEE 1394 interface 485 has functions similar tothose of the communicating portion 71 of the stationary apparatus 52described above with reference to FIG. 15. Furthermore, the recordingand playing portion 481 of the stationary apparatus 410 has functionssimilar to those of the recording and playing portion 76 of thestationary apparatus 52 described above with reference to FIG. 15, therecording medium 482 has functions similar to those of the recordingmedium 80 of the stationary apparatus 52 described above with referenceto FIG. 15, and the RAM 477 of the stationary apparatus 410 hasfunctions similar to those of the external memory 79 and the smallcapacity storing portion 75 of the stationary apparatus 52 describedabove with reference to FIG. 15.

Thus, the stationary apparatus 410 of the user home network 408 canachieve functions similar to those of the stationary apparatus 52 of theuser home network 5 described above in FIG. 15, in accordance withvarious kinds of programs.

In this connection, in the stationary apparatus 410, a hard disk drivemay newly provided to record in advance various kinds of programs in thehard disk of the hard disk drive in place of the ROM 478, and the harddisk drive may be made to function as in the case of the external memory79 and the small capacity storing portion 75 of the stationary apparatus52 described above with reference to FIG. 15. Also, in the stationaryapparatus 410, if the recording medium 482 is of semiconductor memoryconfiguration, functions of the recording and playing portion 481 may beachieved on the controlling portion 475 in accordance with apredetermined program.

In the user home network 408, by reading out various kinds of programsstored in advance in the ROM 493 to develop them on the RAM 492, thecontrolling portion 490 of the portable device 411 can performprocessing as in the case of the host controller 82, the cipherprocessing portion 83 and the extending portion 84 of the portabledevice 53 described above with reference to FIG. 15, in accordance withvarious kinds of these programs.

Also, the RAM 492 of the portable device 411 has functions similar tothose of the external memory 85 of the portable device 53 describedabove with reference to FIG. 15, and the IEEE 1394 interface 497 hasfunctions similar to those of the communicating portion 81 of theportable device 53 described above with reference to FIG. 15.Furthermore, in this portable device 411, the displaying portion 494 andthe inputting portion 495 may be used during playback of the contents.

Thus, the portable device 411 of the user home network 408 can achievefunctions similar to those of the portable device 53 of the user homenetwork 5 described above with reference to FIG. 15, in accordance withvarious kinds of programs.

In this connection, in the portable device 411, a detachable medium maybe provided for the recording and playing of the contents.

For the electronic music distribution system 400, in the aforesaidconfiguration, the electronic distribution service center 401, thecontent provider 404, the service provider 407 and the home server 409of the user home network 408 are of personal computer configuration,respectively.

Thus, in the electronic music distribution system 400, the electronicservice center 401, the content provider 404, the service provider 407and the home server 409 do not need to be newly produced in hardwareconfiguration for distribution of the contents, and various kinds ofprograms are only installed in an existing personal computer, whereby asystem can be easily constructed using such a personal computer.

According to the above described configuration, the electronic musicdistribution system 400 is constructed using the electronic distributionservice center 401 of the personal computer configuration, the contentprovider 404, the service provider 407 and the home server 409, wherebyan existing personal computer can be easily set as the electronicdistribution service center 401, the content provider 404, the serviceprovider 407 and the home server 409, thus making it possible to easeand simplify system construction.

Furthermore, for the electronic music distribution system 400, caseswhere the electronic distribution service center 401, the contentprovider 404, the service provider 407, the home server 409, thestationary apparatus 410 and the portable device 411 are made to operatein accordance with various kinds of programs stored in advance in theROMs 418, 428, 438, 448, 457, 468, 478 and 493 have been described, buta program storing medium in which various kinds of programs are storedmay be installed in the electronic distribution service center 401, thecontent provider 404, the service provider 407, the home server 409, thestationary apparatus 410 and the portable device 411, thereby operatingrespectively the electronic distribution service center 401, the contentprovider 404, the service provider 407, the home server 409, thestationary apparatus 410 and the portable device 411, in accordance withvarious kinds of programs stored in the program storing medium, andvarious kinds of programs transferred from the program storing medium tothe hard disk and the like.

In this connection, the program storing medium used for operating theelectronic distribution service center 401, the content provider 404,the service provider 407, the home server 409, the stationary apparatus410 and the portable device 411 may be achieved with not only a packagemedium such as a CD-ROM (Compact Disc-Read Only Memory) but also asemiconductor memory, a magnetic disk and the like in which programs aretemporarily or permanently stored. Also, for means for storing programsin these program storing media, cable and wireless communication mediasuch as local area networks, the Internet and digital satellitebroadcasts may be used, and programs may be stored through various kindsof communication interfaces such as routers and modems.

INDUSTRIAL APPLICABILITY

The present invention may be used for information sending devices suchas providers providing contents such as music, images and game programs,and information receiving devices such as personal computers andcellular phones receiving the provided contents, and further networksystems constructed of these information sending devices and informationreceiving devices.

1-68. (canceled)
 69. An information distribution system for distributingdata from an information sending device to an information receivingdevice, wherein said information sending device comprises: first storingmeans for storing content data that is prohibited from being played byan information receiving device that does not include a content key;second storing means for storing content data that is permitted to beplayed by an information receiving device that does not include thecontent key; sending means for sending a plurality of distribution keys,each corresponding to a predetermined time period, and send data, whichincludes data encrypted with key data; and said information receivingdevice comprises: receiving means for receiving said send data and saidplurality of distribution keys; and receiving end controlling means fordecrypting said encrypted data, wherein each of said plurality ofdistribution keys allows decryption of said encrypted data within thepredetermined time period associated with said distribution key,independent of a connection during said predetermined time periodassociated with said distribution key.
 70. An information distributionmethod for distributing predetermined data from an information sendingdevice to an information receiving device, said method comprising: afirst storing step for storing content data, in a first storagelocation, that is prohibited from being played by an informationreceiving device that does not include a content key; a second storingstep for storing content data, in a second storage location, that ispermitted to be played by an information receiving device that does notinclude the content key; a sending step for sending a plurality ofdistribution keys, each corresponding to a predetermined time period,and send data which includes data encrypted with key data; a decryptingstep for receiving said send data and said plurality of distributionkeys; decrypting said encrypted data; and permitting decryption of saidencrypted data within the predetermined time period associated with saiddistribution key, independent of a connection during said predeterminedtime period associated with said distribution key.
 71. An informationsending device for sending predetermined data to an informationreceiving device, said sending device comprising: first storing meansfor storing content data that is prohibited from being played by aninformation receiving device that does not include a content key; secondstoring means for storing content data that is permitted to be played byan information receiving device that does not include the content key;sending end controlling means for generating a plurality of distributionkeys, each corresponding to a predetermined time period, and send datawhich includes data encrypted using key data; and sending means forsending said send data and said plurality of distribution keys, whereineach of said plurality of distribution keys allows decryption of saidencrypted data within the predetermined time period associated with saiddistribution key, independent of a connection during said predeterminedtime period associated with said distribution key.
 72. The informationsending device according to claim 71, wherein said sending endcontrolling means generates send data including an individual keyspecific to said information sending device, as said data encrypted withsaid key data.
 73. The information sending device according to claim 72,wherein said sending end controlling means generates send data includingsaid data encrypted using said key data that is periodically updated.74. The information sending device according to claim 73, wherein saidsending end controlling means generates said send data including saidencrypted data using said key data appropriate to an update period, insaid data encrypted using said key data for a plurality of updateperiods given in advance together. 75-78. (canceled)
 79. An informationsending method for sending predetermined data to an informationreceiving device, said method comprising: a first storing step forstoring content data that is prohibited from being played by aninformation receiving device that does not include a content key; asecond storing step for storing content data that is permitted to beplayed by an information receiving device that does not include thecontent key; a generating step of generating a plurality of distributionkeys, each corresponding to a predetermined time period, and send datawhich includes data encrypted using key data; and a sending step ofsending said send data and said plurality of distribution keys, whereineach of said plurality of distribution keys allows decryption of saidencrypted data within the predetermined time period associated with saiddistribution key, independent of a connection during said predeterminedtime period associated with said distribution key.
 80. The informationsending method according to claim 79, wherein in said generating step,send data including an individual key specific to said informationsending device is generated as said data encrypted with said key data.81. The information sending method according to claim 80, wherein insaid generating step, send data including said data encrypted using saidkey data that is updated periodically is generated.
 82. The informationsending method according to claim 81, wherein in said generating step,said send data including said data encrypted using said key dataappropriate to an update period, in said data encrypted using said keydata for a plurality of update periods given together in advance, isgenerated. 83-86. (canceled)
 87. A program storing medium for storing aninformation sending method wherein said method comprises: a firststoring step for storing content data that is prohibited from beingplayed by an information receiving device that does not include acontent key; a second storing step for storing content data that ispermitted to be played by an information receiving device that does notinclude the content key; a generating step of generating a plurality ofdistribution keys, each corresponding to a predetermined time period,and send data which includes data encrypted using key data; a sendingstep of sending said send data and said plurality of distribution keysto said information receiving device; and allowing decryption of saidencrypted data within the predetermined time period associated with saiddistribution key, independent of a connection during said predeterminedtime period associated with said distribution key.
 88. The programstoring medium according to claim 87, wherein in said generating step,send data including an individual key specific to said informationsending device is generated as said data encrypted with said key data.89. The program storing medium according to claim 88, wherein in saidgenerating step, send data including said data encrypted using said keydata that is updated periodically is generated.
 90. The program storingmedium according to claim 89, wherein in said generating step, said senddata including said data encrypted using said key data appropriate to anupdate period, in said data encrypted using said key data for aplurality of update periods given together in advance is generated.91-218. (canceled)